Facebook’s parent group Meta Platforms Inc. on Monday was fined €265m (£228m) by the Irish Data Protection Commission (DPC) for a data breach discovered in 2021 that disclosed the personal details of hundreds of millions of Facebook users online.

The penalty stemmed from an investigation that the DPC commenced on April 14, 2021 into news reports that a collated dataset of Facebook personal data on more than 533 million users was made available on the internet, following an instance of scraping.

In the data breach, the personal data of over 533 million Facebook users from 106 countries were leaked on a well-known hacking forum from 2018 to 2019, which included their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and – in some cases – email addresses, making them a potential target for threat actors.

Back then, Meta said that the data had been “scraped” from the internet owing to a vulnerability that existed in its “Contact Importer” tool but not hacked by malicious actors. This flaw was fixed by the social media network in 2019 so that no further information could be harvested.

Ireland’s regulator said the company failed to comply with the European Union’s General Data Protection Regulation (GDPR) laws of “data protection by design and default.”

The watchdog said as part of its investigation, it carried out an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to the processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019.

The material issues in the inquiry concerned questions of compliance with the General Data Protection Regulation (GDPR) obligation for Data Protection by Design and Default.

DPC found Meta guilty of breaching Articles 25(1) and 25(2) of the GDPR rules, summarized as given below:

  • 25(1) – The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.
  • 25(2) – The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU,” reads the press release by the DPC. “Those supervisory authorities agreed with the decision of the DPC.”

Besides the fine, Meta has been issued with a reprimand and an order demanding it to bring its processing into compliance “by taking a range of specified remedial actions” within a particular timeframe. However, it is unclear exactly what those actions involve.

In a statement on Monday, Meta said that “Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.

“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” it added.

“Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”