Meta, the tech giant that earns tens of billions in profits, received a €251 million fine from the EU on Tuesday for a Facebook security breach more than six years after the incident.
The security flaw allowed hackers to access personal data such as full names, email addresses, phone numbers, dates of birth, and religions, according to the Irish Data Protection Commission (DPC).
The regulator imposed this fine on behalf of the EU because Meta’s European headquarters is in Dublin.
The case, which Facebook disclosed in September 2018, caused a global scandal. The DPC noted that "this data breach affected around 29 million Facebook accounts worldwide, including approximately 3 million in the EU.”
"We took immediate action to resolve the issue as soon as it was identified and proactively informed the impacted people and the Irish Data Protection Commission," a Meta spokesperson said in a statement, adding that the company plans to appeal.
Hackers exploited several bugs in the View As feature, which lets users see how their profile looks to others, to access the data.
Using this feature erroneously generated digital login keys, known as “access tokens,” which allow users to stay logged in without re-entering their passwords.
The DPC began its investigation in late 2018. This was one of the first actions against a major Internet player under the EU’s General Data Protection Regulation (GDPR), which had come into effect a few months earlier.
Meta has been regularly criticised in the EU, but its penalties, often imposed years after the events, seem little more than a slap on the wrist for the Menlo Park giant, which recently reported third-quarter revenue of $40.59 billion (€38.7 billion), with profits of $15.69 billion, exceeding market expectations.
