Meta fined millions in penalties due to data leak
The Irish Data Protection Commission (DPC) imposed a fine of €251 million on the Facebook mother company, Meta. The background is a security vulnerability through which unknown persons gained access to personal data from Facebook users in 2018.
As the authorities shared on Tuesday, about 29 million users across the globe were affected at the time. Approximately 3 million of those users were from the EU.
Unauthorized persons used the vulnerability to steal personal data stored by users on the platform. According to the data authorities, this included full names, email addresses and telephone numbers, birth dates as well as place of residence. Furthermore, the attackers could also access information about gender, religion and place of employment. Unauthorized persons could also see which posts users had published on Facebook and in which groups they were members. At that point in time, according to the DPC, personal data from children was also stolen.
Meta reported security vulnerabilities
The authorities began their investigation after Meta (then Facebook) reported the security issue in September 2018. The Group at the time stated that the vulnerability existed from July 2017 until September 2018 within the “View As” feature. Users could see how their profile appeared on Facebook to non-friends.
The security vulnerability allowed authorized persons to steal so-called “access tokens” from Facebook. These tokens are a type of digital key with which users can remain logged in to the Facebook app.
Originally, the Group assumed that approximately 50 million users were affected. However, after the investigation the number was corrected and lowered. According to their own numbers, the platform closed the vulnerability within two days after it was discovered in September 2018.
The Irish data authorities have now determined various violations against European data protection laws (GDPR) for which fines have respectively been imposed – the total amount being €251 million.
The Deputy Commissioner, Graham Doyle, said these measures emphasized how failures in design and development processes can expose people to serious risk and harm. He added that Facebook profiles often contain information that users may only want to reveal in certain circumstances such as religious and political views or sexual orientation. The security vulnerability at Facebook enabled unauthorized persons to access these details which poses a great risk for abuse of the affected data.
The Irish data authorities are responsible for Meta in the EU as the European headquarters of the company are located in Dublin. The DPC has already imposed multiple privacy-related fines on Meta. However, critics repeatedly accuse the DPC of being too slow in processing cases.
A total of €2.8 billion in fines
As reported by the Irish public service broadcaster RTÉ, the fines imposed on Meta from DPC meanwhile amount to €2.8 billion. To date, only €17 million has actually been paid from this amount because the Group has appealed against some of the authority’s decisions. It is also expected for Meta to appeal against the fine in the current case.
In Germany, the Federal Court of Justice (BGH) ruled in November (German article) that the “mere and temporary loss of control over one’s own personal data” as a result of a GDPR violation can already constitute non-material damage “within the meaning of the standard”. And as a result, a claim for compensation may exist. Neither a specific instance of misuse of data, nor are any other noticeable negative consequences required.
The background to these proceedings also involved an incident with Facebook. Unknown persons scraped data from Facebook in September 2019. This process involves automatically collecting and compiling publicly accessible data without IT systems being invaded. This often violates the terms and conditions of platforms.
As a result, personal data from up to 533 million Facebook users from 106 countries were made public in an online forum. This included email addresses, telephone numbers, birth dates, gender, relationship status and residential addresses. Because of this, the Irish data authorities already imposed fine of €256 million against the Meta Group two years ago.
After the BGH ruling, the Federal Association of Consumer Organizations (vzbz) filed a class action lawsuit against Meta (German article). Those affected by the scraping incident should be able to assert claims for damages against Facebook free of charge. (dpa / js)