Ireland fines Meta $264 million over 2018 Facebook data breach
The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
The breach was caused by the exploitation of user access tokens by unauthorized parties, exposing sensitive user data such as names, email addresses, phone numbers, and physical locations, while it also impacted children.
Although Facebook took immediate corrective action upon discovering the bug in its "View As" feature, the incident still violated several GDPR articles.
Specifically, the Irish DPC says the following GDPR violations are related to the incident:
- Article 33(3): Incomplete breach notification details → €8M fine
- Article 33(5): Poor documentation of breach facts/remedies → €3M fine
- Article 25(1): Failure to embed data protection in system design → €130M fine
- Article 25(2): Failure to limit data processing to what's necessary → €110M fine
"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," commented Graham Doyle, the DPC's Deputy Commissioner.
The DPC has promised to publish the entire decision soon, providing the public with more insight.
In response to the DPC's announcement, Meta sent BleepingComputer the following statement:
"This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed the people impacted, as well as the Irish Data Protection Commission," Meta told BleepingComputer.
"We have a wide range of industry-leading measures in place to protect people across our platforms."
Meta settles in Australia
Also today, the Australian Information Commissioner announced that Meta has agreed to a $50 million settlement for Australian Facebook users impacted by the Cambridge Analytica incident.
The settlement resolves privacy breaches under the Privacy Act 1988 involving data disclosed to the This is Your Digital Life app, potentially misused for political profiling.
Australians who had Facebook accounts between November 2, 2013, and December 17, 2015, spent over 30 days in Australia and either installed the Your Digital Life app or were friends with someone who did are eligible for compensation.
More details about the payment scheme are available on the enforceable undertaking page.
Meta has sent BleepingComputer a separate statement regarding that development, renouncing past practices.
"We settled on a no admissions basis, as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta's products or systems work today. We look forward to continuing to build services Australians love and trust with privacy at the forefront," Meta told BleepingComputer.
Might need a mass password reset one day? Read this first.
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
HighPath Traversal
MediumRelative Path Confusion
InformationalHTTP Parameter Pollution
Free online web security scanner