EU fines Meta €251 million for data breach

The European Union’s privacy regulators have fined Facebook’s parent company, Meta, €251 million following an investigation into a 2018 data breach that compromised millions of user accounts.

Ireland’s Data Protection Commission issued the penalties after wrapping up its inquiry into the breach when hackers gained access to user accounts by exploiting bugs in the platform’s code that allowed them to steal digital keys, known as “access tokens.”

Under the strict privacy regime of the 27-nation EU, the Irish watchdog is Meta’s lead privacy regulator because the company’s regional headquarters are based in Dublin.

The watchdog issued reprimands and “administrative penalties” worth 251 million euros ($264 million) after it found multiple infringements of the rules, known as the General Data Protection Regulation.

The company said it would appeal the decision.

“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified,” Meta said. The company said it “proactively informed people impacted” as well as the Irish watchdog.

When it first disclosed the problem, Facebook said 50 million user accounts were affected. But the actual number was around 29 million, including 3 million in Europe, the Irish watchdog said Tuesday.

The company has said that after discovering the bug, it alerted the FBI and regulators in the U.S. and Europe.

The hack involved three distinct bugs in Facebook’s “View As” feature, which let people see how their profiles appeared to others. The attackers used the vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the “View As” feature. The attack then moved from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

AP