Summary

  • Meta was fined €251 million for a 2018 security breach that exposed the data of three million European Union citizens.
  • Vulnerability in Facebook’s ‘View as’ feature allowed hackers to access to private user data.
  • This comes a year after the EU fined Meta a record-setting €1.2 billion for transferring user data off EU servers to the US.



Privacy is taken seriously in the European Union. Meta, the parent company of Facebook, just learned that lesson after being fined €251 million ($246 million) by Ireland’s Data Protection Commission (DPC). It all stems from a 2018 security breach that exposed the personal data of 29 million users around the world, including three million European citizens (via notebookcheck.net).

Facebook logo against a wood fence

Related

Facebook Marketplace’s dirty dozen: The 15 most common scams and how to avoid them

Be careful before hitting the buy button on Facebook Marketplace

The breach allowed hackers to gain unauthorized access to user accounts and steal data including full names, contact details, places of work, gender, and dates of birth. Basically everything a bad actor needs to spoof a person online or start taking out loans in their name.




Here’s how hackers broke into Facebook

A screenshot of the public 'view as' option for Nathan Drescher's Facebook page.

The breach happened thanks to a vulnerability in Facebook’s ‘View as’ feature that lets users test how their profile looks to the public. However, hackers were able to exploit a flaw in the security for this feature that let them into the private sections of users’ profiles and steal their data. The flaw was discovered by Facebook shortly after the breach was identified, but not before tens of millions of people had been affected.

DPC Deputy Commissioner Graham Doyle noted that Meta (then called Facebook) worked quickly to fix the problem after it was discovered, but highlighted the severity of the breach.

“By allowing unauthorized exposure of profile information,” Doyle told the press. “The vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”



Meta’s track record with EU regulators

This isn’t Meta’s first big-ticket run-in with the authorities in the European Union. The DPC fined Meta a record-setting €1.2 billion in 2023 for illegally transferring user data from EU servers to the United States, violating the EU’s General Data Protection Regulation (GDPR).

The GDPR sets much stricter standards for data and privacy protection than in the US. The latest €251 million penalty, although a drop in the bucket for a company of Meta’s size, is still significant and reinforces that the EU will continue to hold big tech giants accountable if they want to do business in Europe. For Meta, it adds another challenge to its already complicated relationship with authorities both here and abroad.