Meta Platforms Fined €251 Million Following 2018 Data Breach

Significant Penalty for Meta Platforms Under EU Law

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been ordered to pay a €251 million fine (about $263 million) due to a large-scale data breach in 2018. The European regulators claim that the company failed to respect strict privacy rules, marking another major financial setback for Meta.

You might be interested in: New Malvertising Scheme Found Using a Single Ad Network

Scope of the Breach

The Irish Data Protection Commission (DPC) reported that the breach affected around 29 million Facebook accounts worldwide. About 3 million of these accounts were based in the European Union and the European Economic Area. Although Meta’s original estimates suggested that up to 50 million accounts were at risk, the confirmed figure now stands at 29 million.

Exploiting the “View As” Feature

The breach, made public by Meta in September 2018, was linked to a flaw that was introduced into Facebook’s systems in July 2017. Attackers took advantage of the “View As” feature, which lets users see their profile as if they were someone else. By using this feature and the video uploader connected to the “Happy Birthday Composer,” a fully functional user token could be generated. This token granted complete access to another user’s account. The attackers then moved from one account to another, harvesting personal information along the way.

Personal Information Exposed

During the breach, sensitive details such as full names, email addresses, phone numbers, locations, workplaces, birthdates, religious views, gender, timeline posts, group memberships, and even information about children were exposed. The attackers used automated scripts between September 14 and September 28, 2018, to access these accounts. Meta has since removed the problematic feature.

Violations of GDPR Regulations

The DPC found Meta in breach of four parts of the General Data Protection Regulation (GDPR):

  • Not providing complete details in its initial breach notice
  • Not keeping full records of each breach and related steps taken to resolve them
  • Failing to design its systems with data protection at the core
  • Not ensuring that personal data processing was limited to what was truly necessary

Lessons for Data Protection

Graham Doyle, Deputy Commissioner at the DPC, stated that this enforcement shows the importance of building privacy safeguards right from the start of system design. He noted that failing to do so not only breaks the law but also exposes users to serious risks, including the misuse of their personal data.

Previous Fines and Australian Settlement

In September 2024, the DPC fined Meta €91 million (around $101.5 million) for a 2019 security incident involving the unintentional storage of user passwords in plain text. Now, Meta must also manage a settlement with Australia’s Office of the Australian Information Commissioner (OAIC). Meta agreed to pay AU$50 million ($31.5 million) to resolve issues related to the misuse of users’ personal data for political profiling and ad targeting stemming from the 2018 Cambridge Analytica scandal.

This settlement will be offered to users who had a Facebook account between November 2, 2013, and December 17, 2015, lived in Australia for more than 30 days in that period, and either installed the “This is Your Digital Life” app or were friends with someone who did. It is expected that the payment process will open during the second quarter of 2025, providing a way for affected Australians to seek some form of compensation.