Facebook’s parent company, Meta, has been fined €17 million (~$18.6 million) by the Irish Data Protection Commission (DPC) over a string of historical data breaches.

The security lapses in question, which appear to have affected up to 30 million Facebook users, date back several years — and had been disclosed by Facebook to the Irish regulator in 2018.

The DPC, which is Meta/Facebook’s lead privacy regulator in the European Union, opened this security-related inquiry in late 2018 after it received no less than 12 data breach notifications from the tech giant in the six-month period between June 7, 2018 and December 4, 2018.

The European Union’s General Data Protection Regulation (GDPR) — which came into application in May 2018 — puts a legal requirement on data controllers to swiftly disclose breaches of personal data to a supervisory authority if the leak of information is likely to pose a risk to individuals. (The most serious breaches should be notified within 72 hours.)

“The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications,” the DPC wrote in a press release announcing a final decision on its Facebook inquiry.

“As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.”

In a statement responding to the DPC’s penalty, a Meta spokesperson sought to play down the episode as merely a case of historically lax record-keeping — writing:

This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.

The penalty announced by the DPC is the first final decision from Ireland on a GDPR investigation against Facebook itself since the regulation begun being applied nearly four years ago — although the regulator did issue a separate (larger) sanction against Facebook-owned WhatsApp last year for violations of transparency rules.

The DPC confirmed that its draft decision on this Facebook inquiry had faced some objections from other EU data protection authorities — something that also occurred in an earlier probe of a Twitter security breach, as well as over the transparency decision on WhatsApp. (And in both those cases the GDPR’s dispute resolution mechanism led to higher penalties being issued than Ireland had proposed.)

The DPC said two other authorities raised objections to its draft decision on this Facebook inquiry. But Ireland does not specify whether the fine was increased as a result of the objections, nor which authorities objected (or why).

It’s notable that the penalty is relatively small — certainly it’s a far cry from the theoretical maximum of 4% of Meta’s global annual turnover (which would be well over a billion dollars).

However the DPC handed an even smaller fine (~$550,000) to Twitter at the end of 2020, also over administrative failings around a security breach notification.

While there are likely variations in what went wrong in each case, it’s pretty clear that security breaches that are assessed by EU authorities as unintentional are likely to attract lower penalties than systemic or flagrant rule violations.

It also follows that a whole string of lapses has netted Facebook a larger penalty than Twitter, which had only been reporting a single breach (not a full dozen).

Major token hack

The details of all 12 security lapses Facebook ‘fessed up to over the six-month period of 2018 are not listed by the DPC in its announcement of the sanction — but in September 2018 the tech giant publicly disclosed a major hack, which it suggested affected at least 50 million accounts after hackers exploited a security vulnerability on the site.

Facebook subsequently claimed that only 30 million users had actually had their tokens stolen in the hack.

The bug, which dated back to July 2017, had allowed hackers to obtain account access tokens which are used to keep users logged in when they enter their username and password — meaning that stolen tokens can allow hackers to break into accounts.

That major token hack wasn’t the only security lapse for the tech giant in 2018, though.

In June, Facebook notified users of a bug which had created a vulnerability for several days the month before, which it said had accidentally changed the suggested privacy setting for status updates to public from whatever users had set it to last — potentially causing up to 14 million users to over-share sensitive friends-only content with strangers.

Another bug we reported on, in November 2018, had allowed any website to pull information from a Facebook user’s profile — including their “likes” and interests — without the person’s knowledge.

And later that same year, in December, Facebook publicly disclosed a Photo API bug that it said had given app developers too much access to the photos of up to 5.6 million users.

This string of security lapses followed hard on the heels of the Cambridge Analytica story breaking into a global scandal — in March 2018 — when revelations of Facebook user data being sucked out of its platform to be repurposed for targeted advertising by the Trump campaign, which was seeking to opaquely influence the U.S. elections, wiped billions of dollars off its share price.

The Cambridge Analytica scandal also…

Read The Full Article at TechCrunch

Check Also

EU court lowers requirements for imposing fines for data protection breaches

The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set…