Following a data breach involving hundreds of millions of users’ personal details, Facebook parent company Meta has been assessed a €265 million fine by the Irish Data Protection Commission.
The DPC opened an investigation after hundreds of millions of Facebook users’ names, phone numbers, and email addresses were made public in an online hacking forum last year.
The investigation’s scope, which started in April 2021, covered Instagram, Facebook, and Messenger tools, the DPC said. It covered the period from 25 May 2018 to September 2019.
According to the Commission, Meta violated Article 25 of the GDPR regulations. Along with the €265 million in “administrative fines,” they also formally reprimanded Meta and issued an order requiring it to bring its processing practices into compliance.
A spokesperson for Meta earlier this afternoon claimed that the company “cooperated fully” with the DPC on the problem and had patched the vulnerability in their systems during the relevant period.
The spokesperson said: “Unauthorised data scrapping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.
Scraping means using automated software to lift public information from the internet which can then end up being distributed in online forums.
“Because this data set was so large because there had been previous instances of scraping on the platform where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” Data Protection Commissioner Helen Dixon said in an interview with RTÉ. She added the fine was so large due to the “considerable” risks for individuals, which included scamming, spamming, smishing, phishing and loss of control over their personal data.
A record fine of €405 million was handed to Meta in September for violations involving the processing of children’s data on Instagram, according to the national broadcaster, and Meta filed an appeal with the High Court.