The European Union’s privacy watchdogs have fined Facebook owner Meta €251 million for a 2018 data breach affecting millions of users. The penalties were issued by Ireland’s Data Protection Commission, which serves as Meta’s lead privacy regulator under EU rules.
The breach occurred when hackers exploited bugs in Facebook’s “View As” feature, allowing them to steal access tokens, or digital keys, used to control user accounts. By exploiting three distinct vulnerabilities, attackers gained access to accounts by moving from one user’s friends list to another.
Initially, Facebook reported that 50 million accounts were affected. However, the Irish watchdog clarified that the breach impacted 29 million accounts, including 3 million users in Europe. Meta stated it had alerted the FBI and regulators in both Europe and the US after identifying the issue.
The Irish commission imposed the fines after concluding that Meta violated the EU’s General Data Protection Regulation (GDPR). In addition to the fines, the watchdog issued formal reprimands for the company’s handling of the breach.
Meta has announced its intention to appeal the decision. In a statement, the company said, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified.” Meta added that it proactively informed affected users and the Irish commission.
This significant fine highlights the EU’s strict enforcement of data protection laws, signalling that tech giants will face serious consequences for privacy failures.