The European Union's privacy watchdog has fined Meta €251 million following an investigation into a 2018 Facebook data breach that compromised the security of millions of accounts. The decision was announced on Monday after Ireland’s Data Protection Commission (DPC) concluded its inquiry, which revealed significant breaches of EU privacy regulations.
The 2018 incident occurred when hackers exploited vulnerabilities in Facebook’s “View As” feature, allowing them to steal access tokens—digital keys that give users persistent access to their accounts without needing to log in repeatedly. These tokens enabled attackers to control affected accounts and propagate the breach across friends' profiles.
Initially, Facebook estimated that 50 million accounts were affected. However, the DPC clarified that the actual number was closer to 29 million, including 3 million users in Europe. The commission's investigation found multiple GDPR violations, leading to the reprimand and financial penalties.
Meta has vowed to appeal the decision, stating that it took immediate action upon discovering the breach. “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified,” the company said. Meta emphasized that it informed both affected users and relevant regulators, including the FBI and EU authorities.
The company also clarified that the vulnerability was promptly patched to prevent further exploitation.
Under the EU’s General Data Protection Regulation (GDPR), the Irish Data Protection Commission serves as Meta's lead privacy regulator because the company’s regional headquarters are based in Dublin. GDPR regulations require companies to safeguard user data and impose hefty penalties for non-compliance.
This fine adds to Meta’s growing list of regulatory challenges. Over the past few years, the tech giant has faced increased scrutiny over its handling of user data, both in Europe and globally. Similar cases have seen fines imposed on Meta in South Korea and other regions for data privacy violations.
