The lead European Union data privacy regulator for Meta (META.O), opens new tab fined the social media giant 251 million euros ($263.5 million) on Tuesday for a 2018 Facebook security breach that affected 29 million users.
Meta notified Ireland’s Data Protection Commission at the time that cyber attackers had exploited a vulnerability in Facebook’s code that impacted the “View As” feature that lets users see what their own profile looks like to someone else.
That led to a breach in personal data including users’ full name, contact details, location, place of work, date of birth, religion, gender and their children’s personal data, the DPC said.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data,” DPC Deputy Commissioner Graham Doyle said in a statement.
Meta remedied the breach shortly after its discovery, the DPC said. Of the 29 million Facebook accounts impacted globally, about 3 million were based in the EU and European Economic Area.
The DPC is the lead EU regulator for most of the top U.S. internet firms due to the location of their EU operations in Ireland.
It has so far fined Meta almost 3 billion euros for breaches under the bloc’s General Data Protection Regulation (GDPR) introduced in 2018, including a record 1.2 billion euro fine in 2023 that Meta is appealing.
Meta said it will also appeal Tuesday’s decision and that it has a wide range of measures in place to protect users across its platforms.
“We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” a spokesperson for Meta said in a statement.