The Irish privacy regulator DPC imposed a fine of 251 million euros on Meta due to a major data breach with Facebook in 2018. By abusing user tokens, unauthorized third parties managed to obtain data from 29 million users, including three million European users. This included full name, email address, telephone number, location, work location, date of birth, religion, gender, posts on timelines, groups the user was a member of and personal data of children.
The data breach occurred in Facebook’s “view as” feature, which allows users to see what their profile looks like to another user. For example, Facebook user “Alice” can see what her Facebook friend “Bob” sees when viewing her profile. The “view as” feature should provide a “view-only interface”. However, an error prevented the option to upload a video.
In July 2017, a new version of the video uploader appeared that incorrectly generated an access token that had the permissions of the Facebook mobile app. When the video uploader was part of the “view as” feature, it did not generate an access token for the user in question (Alice), but for the Facebook user she wanted to know how to view her profile (Bob). Alice could log in to Bob’s Facebook profile this way.
Once the attackers stole Alice’s access token, they could use “display as” to obtain Bob’s access token and thus steal more tokens from Bob’s friends. Ultimately, the access tokens of tens of million users were captured using this method, Facebook, as the company was known at the time, said in an analysis.
According to the DPC, Meta has violated the GDPR on several counts. For example, Meta had not added all the information in the data breach notification that it could and should have added. The company had also not documented the facts surrounding the data breach and steps taken to remedy it and in a way that the regulator could see whether the company was compliant.
Furthermore, the DPC states that Meta had failed to protect data protection principles in the design of its processing systems and that it did not ensure that by default only personal data necessary for specific purposes was processed. The total fine for the fourth violations amounts to 251 million euros. The DPC will make the full fine decision public at a later date. Meta had a turnover of 129 billion euros last year.
In short:
| Summary Points | Details |
|---|---|
| Fine Imposed | Meta fined 251 million euros by the Irish DPC for a data breach affecting 29 million users. |
| Nature of Breach | Unauthorized access via user tokens, impacting personal data including names, emails, and locations. |
| Cause of Breach | Flaw in the “view as” feature led to incorrect access token generation. |
| GDPR Violations | Meta violated GDPR by failing to document the breach, provide complete notifications, and protect data principles. |
| Meta’s Context | Meta had a turnover of 129 billion euros in the previous year. |
