European Union privacy regulators have fined Meta, the parent company of Facebook, a total of 251 million euros following an investigation into a 2018 data breach that exposed millions of user accounts. The fines were issued by Ireland’s Data Protection Commission after concluding its probe into the breach, where hackers exploited vulnerabilities in the platform’s code to steal access tokens—digital keys that allowed them to access user accounts.
As Meta’s regional headquarters are in Dublin, the Irish regulator is responsible for overseeing its privacy compliance under the EU’s strict data protection laws, known as the General Data Protection Regulation (GDPR). The penalties, which include reprimands and administrative fines, were imposed after the investigation revealed multiple violations of the GDPR. The total fine amounts to 251 million euros ($264 million).
Meta announced that it plans to appeal the recent decision.
In a statement, the company emphasized that the issue stemmed from a 2018 incident and that it took swift action to address the problem once it was discovered. Meta also stated that it “proactively informed” those affected by the breach, as well as the Irish regulator.
When Facebook first revealed the issue, it claimed that 50 million user accounts were affected. However, the actual number was about 29 million, including 3 million in Europe, according to the Irish regulator.
Following the discovery of the bug, Meta reported the incident to the FBI and relevant regulators in both the U.S. and Europe.
The breach exploited three separate bugs in Facebook’s “View As” feature, which allowed users to see how their profiles appeared to others. Attackers used these vulnerabilities to steal access tokens from users whose profiles were visible through searches in this feature. The attack then spread from one user to another via their Facebook friends. With the stolen access tokens, the hackers could take control of the affected accounts.