The penalty marks another significant enforcement action under the EU’s General Data Protection Regulation (GDPR)
The security breach originated in July 2017 with the introduction of a Facebook video upload feature that incorporated a "View as" function, allowing users to view their profiles from another user’s perspective.
A bug in the feature’s integration with the “Happy Birthday Composer” tool enabled attackers to generate user tokens—keys granting full access to a user’s profile. Exploiting this vulnerability, attackers could repeat the process across multiple accounts.
The breach, which spanned from September 14 to September 28, 2018, resulted in unauthorized access to approximately 29 million accounts worldwide. For the EU, the DPC identified the compromised data as including names, email addresses, phone numbers, and sensitive personal details such as religion, workplace, timeline posts, and children’s data.
The DPC issued two enforcement decisions addressing different aspects of the incident:
- Breach Notification: Meta failed to provide a complete and timely notification of the breach, contrary to GDPR requirements. For this, the company was fined €11 million. The DPC also noted deficiencies in Meta’s documentation of the incident and its remedial measures.
- Data Protection by Design: Meta violated GDPR principles by failing to implement sufficient safeguards to prevent the vulnerability, resulting in a €240 million fine.
DPC Deputy Commissioner Graham Doyle said: “Facebook profiles often contain sensitive data about religion, political beliefs, or personal life that users may only wish to disclose in specific contexts. This breach exposed users to significant risks of misuse.”
Meta spokesperson Emily Westcott acknowledged the fine, reiterating that the company had “taken immediate action” to address the issue upon discovery in 2018. Westcott highlighted Meta’s “industry-leading measures” to safeguard user data.
The ruling follows another GDPR-related fine issued to Meta in September for storing millions of users’ passwords in plaintext on its servers—a breach that resulted in a €91 million penalty.
