Ireland’s privacy regulator has fined Meta Platforms Inc. €251 million, or $263 million, over a 2018 breach that compromised millions of users’ data. 

The Data Protection Commission announced the decision today. The regulator is responsible for overseeing Meta’s privacy practices in the European Union because the company’s regional headquarters is located in Ireland. 

The cyberattack that prompted the fine took place in September 2018. Hackers used a code vulnerability that Meta, then Facebook Inc., accidentally released a year earlier to steal the data of about 29 million Facebook users. The cybercriminals accessed names, dates of birth, posts and other information.

The hackers stole the data using a technology Facebook relies on to manage login sessions.

When a user signs into a website, the user’s device receives a snippet of code called an access token. This code contains cybersecurity information such as what parts of the website may be accessed and how. Every time the user navigates to a new webpage, the user’s device must authenticate the login session by providing its access token. 

The hackers behind the 2018 breach stole Facebook users’ access tokens through the social network’s View As feature. The capability, which has since been removed, made it possible to view a Facebook profile from the perspective of a specific user. That user’s access token could be accessed through a vulnerable section of the View As interface. 

In its disclosure of the breach, Meta detailed that the hackers used an automation script to quickly steal access tokens from a large number of users. They then used those access tokens to compromise other data. Meta detected the hacking campaign on Sept. 14, 2018, and blocked it a few days later. 

The Data Protection Commission issued today’s fine because Meta failed to protect user data in the manner required by EU’s GDPR privacy regulation. Additionally, it fell short of certain cyberattack disclosure requirements. 

The €251 million fine includes a €130 million penalty that Meta received because it had failed to effectively implement “data protection principles” in its systems. Another €110 million penalty was issued because the company stored more user information than strictly necessary. Under GDPR, tech firms are only allowed to store the minimum amount of personal data required to power their services and ads. 

The remaining €11 million that Meta was ordered to pay relates to two GDPR breaches. The first is that the company failed to fully document the cyberattack and its subsequent vulnerability remediation efforts. Additionally, the breach notification that Meta sent to regulators about the incident didn’t include all the information it should have.

Today’s fine is the latest in a series that Meta has received over the past few years from the Data Protection Commission. Previously, the company was ordered to pay €91 million for storing several hundred million account passwords in an unencrypted format.

Photo: Wikimedia Commons