The Irish Data Protection Commission (DPC) recently imposed a €251 million fine on Meta, Facebook’s parent company, due to a serious security breach. This incident affected approximately 29 million accounts worldwide, including 3 million in Europe. The decision stems from an investigation launched following a security incident that revealed significant vulnerabilities in the handling of user data.

The incident dates back to July 2017, when Facebook introduced a feature allowing users to view their profile as it appeared to others. A design flaw allowed malicious actors to exploit this feature, combining it with another option to generate unauthorized access tokens. This enabled unauthorized access to users’ profiles and their personal information, including name, email address, phone number, and date of birth.

Although Meta implemented corrective measures after identifying the breach, the DPC highlighted the risks associated with inadequate data protection practices during the design of digital platforms. The authority found several violations of the General Data Protection Regulation (GDPR) by Meta, pointing out shortcomings in the breach notification and in the documentation of the corrective measures adopted by the company. The DPC emphasized the importance of integrating strict data protection requirements from the earliest stages of development to safeguard users’ rights.

The vulnerabilities that led to the breach pose a significant risk of misuse of personal information, making the adoption of adequate preventive measures crucial.

The current fine adds to the total of €2.8 billion already imposed on Meta for similar violations, although only €17 million has actually been collected due to ongoing legal disputes.

Meta announced its intention to appeal the DPC’s decision, reiterating its commitment to protecting user data and the measures taken to ensure security on its platforms.