Ireland’s data protection watchdog has fined Meta Platforms (Nasdaq: META) €251 million over a 2018 data breach that exposed personal information of approximately 29 million Facebook users worldwide, including 3 million in the European Union.
The Irish Data Protection Commission announced two decisions on Monday following own-volition inquiries into the breach, which occurred when unauthorized third parties exploited user tokens on the Facebook platform to access sensitive personal data.
Commissioners Dr. Des Hogan and Dale Sunderland found that the compromised information included users’ full names, email addresses, phone numbers, locations, workplace details, dates of birth, religious affiliations, gender, timeline posts, group memberships, and children’s personal data.
The larger penalties focused on Meta’s failure to implement proper data protection measures, with fines of €130 million for inadequate system design and €110 million for processing unnecessary personal data. Additional penalties included €8 million for incomplete breach notification and €3 million for documentation failures.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms,” said DPC Deputy Commissioner Graham Doyle. He emphasized that Facebook profiles often contain sensitive information about religious or political beliefs and sexual orientation that users may wish to keep private.
The decision was reached through the European Union’s General Data Protection Regulation cooperation mechanism, with no objections raised by other EU data protection authorities when the draft decision was submitted in September 2024.
Meta, which promptly addressed the security vulnerability after its discovery in 2018, received formal reprimands along with monetary penalties. The DPC said it would publish the complete decision and additional information in due course.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
