Meta Fined €251M For 2018 Data Breach That Affected 29M Facebook Accounts

Meta, Facebook’s parent company, was fined €251 million (around $263 million) on Tuesday by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR) in connection with a data breach discovered in 2018 that exposed the personal data of millions of users.

According to Ireland’s regulator, the breach dates back to July 2017, when Facebook deployed a video upload function that included a “View As” feature.

This feature allowed users to view their own Facebook page as another user would.

The cyber attackers exploited a vulnerability in Facebook’s “View As” feature, which allowed them to invoke the video uploader in conjunction with Facebook’s “Happy Birthday Composer” feature.

The video uploader generated a user token that gave the attackers full access to the other user’s Facebook profile.

Per the DPC, the attackers used the stolen token to exploit similar features across other accounts, gaining access to multiple user profiles and their associated data.

The agency added that between September 14 and September 28, 2018, unauthorized persons used scripts to exploit this vulnerability and gained access to approximately 29 million Facebook accounts globally, including 3 million within the European Union (EU) and European Economic Area (EEA).

The compromised personal data included the user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, groups of which the user was a member and their children’s personal data.

Shortly after discovering the bug in its “View As” feature, Facebook security personnel took immediate corrective action and removed the functionality.

The Irish DPC specifically identified the following GDPR violations in connection to the 2018 data breach:

  • Article 33(3): Failure to provide breach notification details–> €8 million fine
  • Article 33(5): Inadequate documentation of breach facts and remedies–> €3 million fine
  • Article 25(1): Failure to integrate data protection in system design–> €130 million fine
  • Article 25(2): Failure to ensure that only personal data that are necessary for specific purposes are processed by default–> €110 million fine 

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” commented Graham Doyle, the DPC’s Deputy Commissioner.

“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

In response to the DPC’s announcement, a spokesperson for Meta, in a statement to BleepingComputer, stated, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed the people impacted, as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms.”

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post