Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Ireland fines Meta for 2018 'View As' breach that exposed 30M accounts

€251 million? Zuck can find that in his couch cushions, but Meta still vows to appeal

Brandon Vigliarolo Tue 17 Dec 2024  //  15:30 UTC

It's been six years since miscreants abused some sloppy Facebook code to steal access tokens belonging to 30 million users, and the slow-turning wheels of Irish justice have finally caught up with a €251 million ($264 million) fine for the social media biz. 

The Irish Data Protection Commission (PDC) today announced the conclusion of two investigations into a 2018 data breach caused by what Meta described at the time as a "complex interaction of multiple issues in our code" that allowed users to pilfer tokens via Facebook's "View As" feature that allows users to see their profiles as if they were another user. 

Initially believed to have exposed personally identifiable information (PII) on as many as 90 million users, Meta later resolved the number down to a mere 30 million. Per the DPC, approximately three million of those who had their access tokens pilfered are based in the EU.

"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms," DPC deputy commissioner Graham Doyle said of the fine. "By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data."

According to the DPC, PII exposed in the attack included full names, email addresses, phone numbers, location, place of work, birthdate, religious affiliation, gender, user posts and groups users belonged to. The PII of children was also exposed, the DPC said. 

The pair of investigations concluded that the breach resulted in four violations of the EU's General Data Protection Regulation (GDPR). Meta violated Article 33, pertaining to breach notifications, by "not including in its breach notification all the information required" and "failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance." 

Article 25, which covers requirements for companies to design systems with proper data protection by default, was violated by Meta "failing to ensure that data protection principles were protected in the design of processing systems" and "failing in [its] obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed."

Meta told The Register that it intends to appeal the decisions.

"We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission," a Meta spokesperson told us. "We have a wide range of industry-leading measures in place to protect people across our platforms."

Meta also said it has security features like multifactor authentication and login alerts available, and encouraged users to use them. 

This is only the latest case of the DPC fining Meta - which has its European HQ in Ireland - for violating EU data protection rules. The DPC charged Meta €1.2 billion for sending EU user data to the US, €390 million for using personal user data without consent on Facebook and Instagram and an additional €5.5 million for similar violations in WhatsApp - all of those fines were levied in 2023.  

Meta was also fined twice by the DPC in 2022, forking over €17 million for failing to protect user data and €265 million for Facebook allowing user data to be scraped and exposed online. 

This latest fine - if it sticks - will probably have a similar drop-in-the-bucket effect to all those other fines (minus the record-setting €1.2B one). Amounting to $264 million, today's bill equates to less than 2 percent of Meta's third quarter profit of $15.7 billion. ®
Send us news
13 Comments

Apple and Meta trade barbs over interoperability requests

Both are only thinking about the best interests of users, of course

AI's rising tide lifts all chips as AMD Instinct, cloudy silicon vie for a slice of Nvidia's pie

Analyst estimates show growing apetite for alternative infrastructure

Million GPU clusters, gigawatts of power – the scale of AI defies logic

It's not just one hyperbolic billionaire – the entire industry is chasing the AI dragon

Day after nuclear power vow, Meta announces largest-ever datacenter powered by fossil fuels

Louisiana facility's three natural gas turbine plants to churn out 2,262 MW

Jury spares Qualcomm's AI PC ambitions, but Arm eyes a retrial

The victory may be short lived as the chip designer gears up for second round

US bipartisan group publishes laundry list of AI policy requests

Chair Jay Obernolte urges Congress to act – whether it will is another matter

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Australia lays fiendish tax trap for Meta – with an expensive escape hatch

If Zuck and other Big Tech players pay news publishers, their bills vanish

Facebook, Threads, WhatsApp, Instagram stumble on and offline in global outage

What's an influencer to do?

American cops are using AI to draft police reports, and the ACLU isn't happy

Do we really need to explain why this is a problem?

Epic coughs up the dirty V-Bucks: Fortnite's 'dark pattern' refunds hit accounts

Did you get your loot box?

Fission impossible? Meta wants up to 4GW of American atomic power for AI

Facebook titan targets early 2030s for reactor deployment