Meta was fined €251 million for failing General Data Protection Regulation (GDPR) requirements in a Facebook data breach affecting 29 million accounts.
The Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited €251 million for a 2018 data security breach that compromised the personal information of approximately 29 million Facebook accounts worldwide. Around 3 million of these accounts belonged to users within the European Union and European Economic Area.
The breach stemmed from a flaw in Facebook's 'View As' feature, which allows users to view their profiles from another user's perspective. Cyber attackers exploited this vulnerability by combining the video upload function with the 'Happy Birthday Composer' tool, creating user tokens that granted unauthorized access to multiple accounts.
The compromised data included full names, email addresses, phone numbers, locations, workplace details, dates of birth, religions, genders, timeline posts, group memberships, and children’s personal information. The breach exposed Meta to multiple GDPR violations, including incomplete breach notifications, poor documentation practices, and a lack of data protection principles in system design.
The fine breakdown is as follows:
Meta resolved the breach shortly after its discovery in 2018 and notified affected individuals and the DPC. However, the company intends to appeal the decision, arguing that immediate action was taken to address the issue.
Graham Doyle, deputy commissioner at the DPC, discussed the broader implications of the breach. “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms,” he said.
A Meta spokesperson stated, "We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission."
The €251 million fine is part of nearly €3 billion in GDPR penalties imposed on Meta by the Irish DPC. This case proves the need for strong data protection measures, timely breach notifications, and proper documentation to mitigate risks and avoid regulatory scrutiny. With no objections from EU and EEA authorities, the fine reinforces GDPR enforcement and pressures companies like Meta to improve data safeguards and accountability.
The 'View As' feature on Facebook allows users to see how their profile appears to others. The vulnerability occurred because attackers exploited an interaction between this feature and the video upload function, which generated tokens granting unauthorized account access.
GDPR requires companies to embed data protection into system design ('privacy by design'). Violations occur when systems are built without adequately considering data minimization, security measures, or transparency, exposing users to unnecessary risks.
The Irish DPC oversees GDPR enforcement for many tech companies, including Meta, because they have their European headquarters in Ireland. This makes the DPC the lead supervisory authority for GDPR violations involving these companies.