It’s been an expensive day for Meta. First, Australia announced a $50 million AUD ($31.7 million USD) settlement with the company over the Cambridge Analytica scandal and now the Irish Data Protection Committee (IDPC) has fined Meta €251 million ($263 million). The IRDC fine stems from a personal data breach at Facebook in 2018.
The company said at the time that hackers had exploited “a weakness in Facebook’s code” related to the View As feature. This allowed them to acquire users’ access tokens and take over those accounts.
The bad guys were able to log into the Facebook accounts of nearly 29 million global users, including three million users in the European Union and European Economic Area. They gained access to information such as a user’s full name, email address, phone number, location, date of birth, religion, and personal data on children.
The IDPC has held Meta responsible for not having appropriate data protection in place when designing its processing systems, not processing personal data only when specifically required, and not disclosing all information about the breach.
“This enforcement action highlights that failure to build data protection requirements into the design and development cycle can expose individuals to very serious risks and harms, including risks to individuals’ fundamental rights and freedoms,” said Graham Doyle, DPC deputy commissioner. “By allowing the unauthorized display of profile information, the vulnerabilities behind this breach created a serious risk of misuse of this type of data.”
In response to the fine, a Meta spokesperson told Engadget, “This decision relates to an incident in 2018. We took immediate action to fix the issue as soon as it was identified, and we proactively notified those affected as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people on our platform.”
In Australia, the Cambridge Analytica scandal has been settled with a whistleblower who revealed in 2018 that the company had “exploited Facebook to acquire profiles of millions of people.” Facebook found out about it three years ago. Cambridge Analytica used this information to influence US voters for Donald Trump’s 2016 campaign and a pro-Brexit campaign. The company was previously led by Steve Bannon, who recently served time in prison for refusing to cooperate with the January 6 investigation.
The settlement should see an estimated 311,127 people receive payments. Eligible parties must have a Facebook account from November 2015 to December 2015, spend more than 30 days in Australia during that period and personally or have a Facebook friend who installed the This Is Your Digital Life app. Meta previously agreed to pay $725 million to users in the US.