Meta Platforms, the company behind Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million ($263 million) for a 2018 data breach that exposed the personal data of millions, including 3 million users in the EU. The Irish Data Protection Commission (DPC) imposed the penalty, citing violations of GDPR privacy regulations, marking yet another significant financial hit for the tech giant.
The breach, disclosed in September 2018, arose from a flaw in Facebook’s “View As” feature, which allowed users to see their profile as others would. This bug, present since July 2017, enabled attackers to exploit the feature to generate access tokens, giving them unauthorized access to user accounts. Affected data included names, emails, phone numbers, work details, birth dates, religion, posts, and even children’s personal information. The attack was executed using scripts between September 14 and 28, 2018, affecting 29 million accounts globally.
Meta initially estimated the breach impacted 50 million accounts worldwide, but the final number was later reduced. Despite this, the breach’s scope highlighted serious vulnerabilities in Facebook’s system. Meta has since removed the “View As” feature to prevent similar issues in the future.
The DPC found Meta guilty of four GDPR violations, including failing to fully document the breach, not implementing adequate data protection measures in its system design, and processing unnecessary personal data. These lapses underscored Meta’s shortcomings in safeguarding user privacy. Deputy Commissioner Graham Doyle emphasized that the vulnerabilities exposed users to grave risks, including the misuse of sensitive data.
This is not the first time Meta has faced fines for privacy breaches. In September 2024, it was fined €91 million ($101.5 million) for storing user passwords in plaintext, further reinforcing concerns about its handling of sensitive information. The DPC’s enforcement actions underscore the consequences of non-compliance with GDPR regulations.
In a separate case, Meta agreed to pay AU$50 million ($31.5 million) to settle claims in Australia related to the misuse of user data during the Cambridge Analytica scandal. This settlement addresses privacy violations stemming from the political profiling and ad targeting of users. The program offers compensation to affected Australian Facebook users based on their exposure to the scandal.
Eligible individuals in Australia include those who had a Facebook account between November 2013 and December 2015 and either installed the “This Is Your Digital Life” app or were connected to someone who did. Payments will be divided into two tiers: a general base payment for embarrassment or concern and a specific payment for demonstrable loss or damage. Applications for compensation are expected to open in mid-2025.
These cases highlight Meta’s ongoing challenges with privacy compliance and the financial consequences of failing to uphold user protections. The penalties and settlements reflect the growing global scrutiny of tech giants and their responsibility to secure personal data.