Meta Fined €251 Million by Ireland Over 2018 Cyberattack

Meta Platforms Inc. has been fined €251 million ($263 million) by Ireland's Data Protection Commission (DPC) for a 2018 data breach that compromised the data of millions of users, as reported by SiliconANGLE.

The DPC, responsible for overseeing Meta's privacy practices in the European Union, levied the fine for the company's failure to adequately protect user data in accordance with the EU's General Data Protection Regulation (GDPR).

The breach, which occurred in September 2018, exploited a vulnerability in Facebook's "View As" feature, allowing hackers to steal access tokens from approximately 29 million users. These tokens, containing sensitive information such as names, dates of birth, and posts, were then used to compromise additional data.

The DPC's fine is comprised of two main components:

• €130 million: For Meta's failure to effectively implement data protection principles in its systems.
• €110 million: For storing more user information than necessary, violating GDPR's principle of data minimization.

An additional €11 million was assessed for Meta's failure to properly document the breach and its remediation efforts, as well as for providing an insufficiently detailed breach notification to regulators.

This fine is the latest in a series of penalties levied against Meta by the DPC in recent years. In a previous case, the company was fined €90 million for storing hundreds of millions of account passwords in an unencrypted format.

Meta's failure to adequately protect user data in the 2018 breach, coupled with its subsequent shortcomings in reporting and remediation, underscore the ongoing challenges tech companies face in complying with GDPR's stringent data protection requirements.