Meta Platforms, parent company of Facebook, Instagram, WhatsApp and Threads, fined 251 million euros (approximately $263 million) for a 2018 data breach that affected millions of users in the block was fined. This is the company’s latest financial hit after being accused of violating strict privacy laws.
The Irish Data Protection Commission (DPC) said the data breach affected around 29 million Facebook accounts worldwide, of which around 3 million were based in the European Union and European Economic Area (EEA). . It’s worth noting that the tech giant’s initial estimates put the total number of affected accounts at 50 million.
The incident, revealed by the social media company in September 2018, stemmed from a bug introduced in Facebook’s systems in July 2017 that allowed an unknown attacker to view their profile as someone else. “As” function can now be abused. Other than that.
This ultimately allowed an account access token to be obtained, allowing the attacker to compromise the victim’s account. The categories of personal data affected as a result of the security breach include the user’s name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, and the user’s affiliations. groups, and children’s personal data.
“Users utilizing the (View As) feature may invoke a video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ feature,” the DPC said.
“The video uploader then generates a fully authorized user token that grants full access to the other user’s Facebook profile. The user can then use that token to create the same It takes advantage of a combination of features and gives you access to multiple users’ profiles and the data that can be accessed through them. ”
The data protection watchdog also found that malicious attackers used scripts to exploit the flaw between September 14 and 28, 2018, to gain unauthorized access to 29 million Facebook accounts worldwide. said. Meta has since removed the feature that caused the issue.
The fines are based on breaches of four different articles under the GDPR Data Privacy Act, namely Article 33(3), Article 33(5), Article 25(1) and Article 25(2).
Failing to include all information that could and should have been included in the violation notification Documenting the facts about each violation and the steps taken to correct them so supervisors can verify compliance Ensuring that data protection principles are protected in the design of processing systems that fail to document in a manner the controller’s obligation to ensure that only personal data that is necessary for a specific purpose are processed; What I neglected
“This enforcement action highlights how failure to incorporate data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harm, including risks to their fundamental rights and freedoms. “This highlights the extent to which this is the case,” DPC Deputy Commissioner Graham Doyle said.
“By allowing the unauthorized publication of profile information, the vulnerabilities behind this breach posed a significant risk of this type of data being misused.”
This is the second fine imposed by the DPC against Meta, which was fined €91 million (1 was fined $1.5 million).
The development follows Meta’s A$50 million ($31.5 million) settlement with the Australian Information Commissioner’s Office (OAIC) related to the misuse of users’ personal information for political profiling and advertising targeting. This comes after a payment program was also agreed. 2018 Cambridge Analytica Scandal.
This program is open to individuals who owned a Facebook account between November 2, 2013 and December 17, 2015. Stayed in Australia for more than 30 days during that period. You have installed the This is Your Digital Life app or are a Facebook friend of an individual who has installed the app.
Fifty-three Australian Facebook users have installed the app, and 311,074 Facebook users may have been asked for personal information by the app as friends of the user who downloaded the app.
The proposed settlement provides for two tiers of payments: a base payment for those who experienced general concern or embarrassment as a result of the breach, and a specific payment for those who can prove they suffered loss or damage. The payment program is expected to officially accept applications in the second quarter of 2025.
Australian Information Commissioner Elizabeth Tidd said: “This represents a substantive resolution to the privacy concerns raised by the Cambridge Analytica issue and provides potentially affected Australians with the opportunity to seek redress through the Meta payments program. “This will bring an end to lengthy court proceedings.”
