Meta has been fined more than 250 million euro (£206 million) by the Irish Data Protection Commission over a data breach.
The breach affected approximately 29 million Facebook accounts globally, of which some three million were based in the EU/EEA.
It was reported by Meta in September 2018.
By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data
The personal data involved in the breach included account users’ full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, groups of which a user was a member and children’s personal data.
It arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform. The breach was remedied by Meta in Ireland and its US parent company shortly after its discovery.
The decisions in relation to the breach, which were made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling 251 million euro.
DPC Deputy Commissioner Graham Doyle said a grave risk of misuse of data had been caused.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” he said.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”