Meta Received A $275 Million Fine Following the 2021 Massive Data Leak
The Investigation Revealed that Meta Infringed 2 GDPR Articles, Failing to Protect Its Users’ Data.
The investigation into the 2021 massive Facebook data breach resulted in a $275.5 Million fine for the company, as well as a number of corrective measures, announced The Irish Data Protection Commission (DPC) in a press release yesterday.
DPC launched the investigation in April 2021, after a Facebook data breach led to the publication of data belonging to 533 million Facebook users worldwide on a hacker forum.
The leaked information included cell phone numbers, Facebook IDs, names, genders, localities, relationship statuses, occupations, birth dates, and email addresses. This information was released on a well-known hacker site, allowing threat actors to exploit it for targeted attacks.
Facebook stated at the time that threat actors gathered the data by exploiting a vulnerability in its “Contact Importer” tool to correlate phone numbers with a Facebook ID and then collecting the remaining information to create a user profile. The platform said the flaw was fixed in 2019, however the data was acquired prior to that.
If you want to learn more about the 2021 incident, my colleague Cezarina wrote an extensive article on the 2021 Facebook Data Breach.
DPC Concludes: Meta Infringed Articles 25(1) and 25(2) of the GDPR
The conclusion of DPC’s investigation was that Meta (formerly Facebook) violated Articles 25(1) and 25(2) of the GDPR, which are described as follows:
- Article 25 (1) – The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.
- Article 25 (2) – The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.
Data Scrapers: A Rising Threat
Data scrapers are automated bots that abuse the open network APIs of sites that store user data, such as Facebook, in order to extract publicly accessible information and construct enormous databases of user profiles.
While no hacking is required, the data sets acquired by scrapers can be merged with data from numerous sources (websites) to create comprehensive user profiles, hence making their tracking by marketers or targeted by threat actors significantly more effective, explains Bleeping Computer.
Most online sites prohibit scraping, but enforcing these regulations is technically challenging, as recently demonstrated by TikTok and WeChat.
As Bleeping Computer interestingly noted, due to the large number of tech businesses operating from Ireland, the DPC is regarded as the EU’s leader in GDPR compliance; hence, its judgment is likely to cause turbulence among other large data controllers, compelling them to reevaluate their anti-scraping procedures.
The Irish Data Protection Commission’s results full press release on the matter is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.