The penalty adds to a series of GDPR fines against Meta, bringing the total to $3 billion.
Meta has been fined $263.5 million (€251 million) by Ireland’s Data Protection Commission (DPC) for a 2018 Facebook security breach that exposed the sensitive data of 29 million users globally.
The breach exploited a vulnerability in Facebook’s “view as” feature, which allows users to view their profiles as others would see them.
The exploit enabled unauthorized access to personal information, including full names, contact details, locations, workplaces, dates of birth, religions, genders, and even data related to users’ children, according to the DPC.
Despite this, the DPC cited several violations of the European Union’s General Data Protection Regulation (GDPR), highlighting the risks associated with the exposure of such personal data.
Meta had reported the incident to the Irish regulator after its discovery and took immediate steps to address the issue.
Meta has said it will appeal the decision, according to Reuters, emphasizing the measures it has implemented to safeguard user data since the incident.
Implications for other companies
Analysts say Meta’s fine serves as a stark reminder for companies operating in the EU to prioritize data protection as a critical business obligation.
The penalty underscores growing regulatory scrutiny and the importance of aligning with the GDPR. Experts warn that compliance requires more than meeting minimum legal standards, urging businesses to embed data protection into system design, establish robust incident response protocols, and ensure transparency in their security measures.
“Simply put, companies are bound by laws, and as juristic persons, complying with GDPR is no longer optional but a governance imperative,” said Thomas George, president of Cybermedia Research. “Organizations are now expected to invest heavily in compliance and foster a culture shift towards data protection. The GDPR fines against giants like Meta confirm a growing trend toward stricter enforcement of data privacy regulations.”
For CIOs and CTOs, the message is clear — data protection must be a foundational consideration for all business operations, not an afterthought.
Need for secure by design
While GDPR provides a robust framework for managing data privacy, experts also argue that mere compliance may fall short of addressing the root causes of data breaches.
The complexity of modern cyber threats demands a proactive approach that extends beyond regulatory mandates, emphasizing prevention as much as response.
“While GDPR does have a mandate on timely notification of breaches, that itself is not enough,” said Keith Prabhu, founder and CEO of Confidis. “Privacy needs to be taken care of during the design phase as well to prevent data breaches. Whether you need to comply with GDPR or any other privacy regulation, robust data breach notification and incident management processes are not optional. Without these, organizations will not only face fines but also business in the long term.”
(Inputs: csoonline)
