The Irish Data Protection Commission fined Meta, which owns Facebook, Instagram, and WhatsApp, €265 million (£228 million) (DPC). The penalty stems from a data breach that resulted in the online publication of hundreds of millions of Facebook users’ personal information. Up to 533 million users’ phone numbers and email addresses were posted on a hacking community online.
The DPC launched an investigation in April 2021.
Facebook said at the time that the information, some of which had already appeared online a number of years ago, was “scraped”, but not hacked, by malicious actors through a vulnerability in its tools prior to September 2019.
“Scraping” uses automated software to lift public information from the internet that can then end up being distributed in online forums.
However, the DPC found that Meta was in breach of Article 25 of General Data Protection Regulation (GDPR) rules.
“Because this data set was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” Data Protection Commissioner Helen Dixon said.
“The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total.”
As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
A spokesman for the company said: “Protecting the privacy and security of people’s data is fundamental to how our business works. That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers.
“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
In September, Meta lodged an appeal in the High Court against a record fine of €405m imposed on Instagram by the DPC.
It was the largest fine ever handed down by the Irish data watchdog and was issued for breaches relating to the processing of children’s data.