Meta Fined €251 Million Following Data Breach Affecting Millions

The Irish Data Protection Commission (DPC) has imposed a €251 million fine on Meta Platforms Ireland Limited (MPIL) following two inquiries into a major data breach that occurred in 2018, as reported on a DPC press release.

The breach, which affected around 29 million Facebook accounts globally, exposed sensitive personal data, including names, email addresses, phone numbers, and more. Of those impacted, approximately 3 million accounts were based in the European Union and European Economic Area (EU/EEA), said the DPC.

The breach occurred when unauthorized third parties exploited user tokens on the Facebook platform, gaining access to user data. MPIL reported the incident in September 2018, and the breach was remedied promptly by MPIL and its US parent company.

The Record notes that a Meta spokesperson issued a statement highlighting that the fine stems from an incident that occurred six years ago.

“We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” the statement said, as reported by The Record. “We have a wide range of industry-leading measures in place to protect people across our platforms.”

In its final decisions, the DPC cited multiple violations of the General Data Protection Regulation (GDPR), resulting in substantial fines. The Commission’s inquiries identified two key areas of non-compliance.

The first decision focused on Meta’s failure to include all required information in its breach notification. Specifically, the company did not provide sufficient details about the breach. Additionally, Meta was reprimanded for failing to document the facts of the breach. As a result, the DPC levied fines of €8 million and €3 million, respectively.

The second decision concerned Meta’s failure to uphold data protection principles in its system design, since it was found to have inadequately integrated data protection safeguards into its processing systems.

Furthermore, Meta was penalized for not ensuring that only necessary personal data was processed. The fines for these violations totaled €130 million and €110 million, said the DPC.

Graham Doyle, Deputy Commissioner of the DPC, emphasized the seriousness of the breach, highlighting how inadequate data protection measures can expose individuals to significant risks.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.” Doyle said in the press release.

“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data,” Doyle added.

The DPC’s investigation followed the standard GDPR process, with a draft decision submitted for peer review in September 2024. The Commission received no objections to its findings, and it thanked other EU/EEA supervisory authorities for their cooperation.

This enforcement action serves as a stark reminder of the importance of robust data protection measures for companies operating within the EU.

The fine announced on Tuesday marks the latest financial penalty Meta has faced for breaching European data protection laws. In September, the DPC imposed a $101.5 million fine on Meta for failing to properly protect users’ password data.