Back in 2018, 29 million Facebook users around the world were affected by a security breach that exposed their personal data. Six years later, the Irish Data Protection Commission, which regulates Facebook’s parent company Meta in the European Union, has finally fined the company for the breach.
The DPC announced on Tuesday that it had fined Meta 251 million euros ($263.5 million) for failing to prevent cyber attackers from exploiting vulnerabilities in Facebook’s code. The exploit allowed users to view a user’s private profile information using the site’s “View As” feature. This includes your name, email address, phone number, location, place of employment, date of birth, religion, gender, timeline posts, groups you have been a member of, and personal data of your children.
“This enforcement action highlights how failure to incorporate data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harm, including risks to their fundamental rights and freedoms. DPC Deputy Commissioner Graham Doyle said: statement. “Facebook profiles can and often do contain information about religious or political beliefs, sex lives and sexual orientation, and similar matters that users wish to disclose only in certain circumstances. .”
Read more: Best Identity Theft Protection Services of 2024
Approximately 3 million people affected by the breach live in the European Union, where strict rules known as the General Data Protection Regulation protect citizens in the event of a breach of privacy. GDPR has served as a model for many other privacy laws around the world, such as California’s privacy regulations. It requires companies to self-report privacy violations, which can result in fines of up to 20 million euros or 4% of global revenue, whichever is higher. Meta is facing fines totaling approximately $3 billion for various violations.
The company announced on Tuesday that it plans to appeal the DPC’s decision.
“This decision relates to a 2018 incident,” a Meta spokesperson said in a statement. “We took steps to resolve the issue as soon as it was identified and proactively notified those affected and the Irish Data Protection Commissioner.”
