Image: © kovop58 /Stock.adobe.com
Malicious parties exploited a vulnerability in a feature the platform launched in 2017 to access millions of users’ data.
The Irish data protection watchdog has fined Meta €251m for a 2018 data breach affecting approximately 29m Facebook accounts globally.
The Data Protection Commission (DPC), in its announcement today (17 December) said that the social media giant failed to include necessary safeguards in its code design to ensure adequate user data protection, as well as failing to ensure that only necessary data was processed.
The breach, which affected approximately 3m users in the EU and European Economic Area, came as a result of exploitation of user tokens – codes that verify a user’s identity – by third parties who accessed the personal data of millions, which comprised users’ full names, emails, phone numbers, locations, places of work, birth dates as well as their children’s personal data.
According to the DPC, Meta, which was found in breach of four articles of the General Data Protection Regulation (GDPR), also did not include all the required information in its breach notification and failed to document facts relating to each breach and the steps it took to remedy them in a way that allowed the authorities to verify its compliance.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC deputy commissioner Graham Doyle.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
A Meta company spokesperson told SiliconRepublic.com: “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission.
“We have a wide range of industry-leading measures in place to protect people across our platforms.”
How user tokens were exploited
Facebook deployed a video uploading function in mid-2017 which malicious parties could use in conjunction with other features to access personal user data.
When the new feature was used alongside already existing ‘View As’ feature and the ‘Happy Birthday Composer’ facility, third-party users could generate a video that gave them access to a user’s Facebook profile.
Between a span of two weeks in September 2018, malicious third parties exploited this method, gaining the ability to log on as the account holder of nearly 30m Facebook accounts whose sensitive personal data was rendered vulnerable.
At the time, Guy Rosen, Facebook’s then vice-president of product management, who is now the company’s chief information security officer, said that the cyberattack began on 14 September and went undetected until 25 September.
However, the company fixed its vulnerabilities within two days, he said, adding “people’s privacy and security are incredibly important, and we are sorry this happened”.
Meta has been penalised several times for GDPR breaches. Earlier this year, the DPC fined Meta €91m for improperly storing passwords, as well as fining the company €390m in 2023 for its targeted advertising practices which breached privacy regulations and €265m in 2022 following the emergence of a database with information on 533m Facebook users on a hacking forum the year prior.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
Updated, 1.45pm, 17 December 2024: This article was updated to include a statement provided by Meta.
