Data breach comes back to haunt Meta as tech giant fined $260M


The European Union’s top data privacy regulator has fined Meta €251 million ($263 million) over a data breach affecting almost 30 million Meta users back in 2018.

The Irish Data Protection Commission (DPC) made the decision to reprimand and fine Meta on December 17th, 2024.

A draft decision was submitted to the General Data Protection Regulation (GDPR) in September and supposedly received no objections.

ADVERTISEMENT

According to the DPC, Meta committed various GDPR violations by not including all information in its breach notification, failing to document the facts relating to the breach, failing to uphold data protection principles, and processing unnecessary personal data information.

The EU’s top data privacy watchdog has ordered the tech giant to pay €251 million, roughly $260 million, for a personal data breach that affected its users in 2018.

The incident affected almost 30 million Facebook accounts across the world, with roughly 3 million users based in the European Union (EU) and European Economic Area (EEA).

Niamh Ancell BW Ernestas Naprys Marcus Walsh profile jurgita
Don’t miss our latest stories on Google News

Personal data leaked included:

  • Full names
  • Email addresses
  • Phone numbers
  • Locations
  • Places of work
  • Dates of birth
  • Religion
  • Gender
  • Facebook posts
  • Facebook groups

The DPC also said that personal data relating to children was also exposed during the leak.

ADVERTISEMENT

This isn’t the first time the DPC has fined the tech giant. Back in September, the DPC slapped Meta Platforms with a $100 million fine for exposing plaintext passwords of a reported 600 million Facebook users.

The DPC’s decision closed an inquiry brought against Meta Platforms Ireland back in 2019 after American security researcher Brian Krebbs broke the story in March of that year.

Meta was the first to alert the regulatory body that it had inadvertently stored the user passwords without using cryptographic protection or encryption – in violation of security requirements as laid out in the General Data Protection Regulation (GDPR).