In 2018, a significant data breach on Facebook, now under the umbrella of Meta Platforms, exposed the personal data of millions of users, triggering an investigation by European Union privacy regulators. This breach stemmed from vulnerabilities within Facebook’s platform code that allowed hackers to exploit bugs and steal digital keys, known as “access tokens,” granting them unauthorized access to user accounts. These access tokens essentially serve as digital passwords, providing access to an individual’s account and associated data without requiring the actual password.
The investigation, led by Ireland’s Data Protection Commission (DPC), Meta’s lead privacy regulator within the EU due to the company’s regional headquarters being located in Dublin, concluded with the imposition of fines totaling €251 million on Meta. The DPC determined that Meta had infringed upon multiple provisions of the General Data Protection Regulation (GDPR), the EU’s stringent data privacy framework. The GDPR mandates robust data protection measures for all individuals within the EU and imposes significant penalties for non-compliance. The DPC’s decision reflects the gravity of the breach and underscores the importance of adhering to the GDPR’s principles of data security and user privacy.
Meta has expressed its intention to appeal the decision, maintaining that it took swift action to rectify the vulnerabilities upon discovery and proactively informed both affected users and the Irish watchdog. The company’s statement emphasizes the time elapsed since the incident occurred in 2018, suggesting that the penalties are disproportionate considering the remedial actions taken. However, the DPC’s investigation concluded that Meta’s response, while prompt, was insufficient to mitigate the impact of the breach and fell short of the GDPR’s requirements.
Initial estimates of the breach’s impact suggested that 50 million user accounts were compromised. However, subsequent investigations revised this figure downwards to approximately 29 million accounts globally, with 3 million accounts affected within the European Union. This clarification helps to define the scope of the breach and provides a more accurate representation of the number of individuals whose data was potentially exposed. While the revised number is lower than initially reported, it still represents a substantial breach affecting a significant number of users.
Upon discovering the vulnerabilities, Facebook reported the incident to the FBI and regulatory authorities in both the United States and Europe, demonstrating a commitment to transparency and cooperation with law enforcement agencies. The breach involved three distinct bugs within Facebook’s “View As” feature, a functionality that allowed users to view their profiles as they appeared to others. Attackers exploited these vulnerabilities to steal access tokens from the accounts of individuals whose profiles were viewed using the “View As” feature. The attack then propagated through the network, spreading from one user’s Facebook friends to another, leveraging existing connections to expand the reach of the breach.
The stolen access tokens effectively granted attackers control over the compromised accounts, enabling them to access personal data, post content, and potentially engage in further malicious activities. The nature of the breach, facilitated by the “View As” feature, highlighted the potential risks associated with functionalities that provide access to user profiles and underscores the necessity for rigorous security testing to prevent exploitation. The incident served as a reminder of the importance of robust security measures to protect user data and the potential consequences of failing to address vulnerabilities promptly. The substantial fines imposed by the DPC serve as a deterrent and emphasize the EU’s commitment to enforcing data privacy regulations.
