European Union privacy watchdogs hit Facebook owner Meta with fines totaling 251 million euros on Monday after an investigation into a 2018 data breach on the social media platform that exposed millions of accounts.
Ireland’s Data Protection Commission issued the penalties after wrapping up its inquiry into the breach, when hackers gained access to user accounts by exploiting bugs in the platform’s code that allowed them to steal digital keys, known as “access tokens.”
Under the 27-nation EU’s strict privacy regime, the Irish watchdog is Meta’s lead privacy regulator because the company’s regional headquarters are based in Dublin.
The watchdog issued reprimands and “administrative penalties” worth 251 million euros ($264 million) after it found multiple infringements of the rules, known as the General Data Protection Regulation.
The company said it would appeal the decision.
“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified,” Meta said in a statement. The company said it “proactively informed people impacted” as well as the Irish watchdog.
When it first disclosed the problem, Facebook said 50 million user accounts were affected. But the actual number was around 29 million, including 3 million in Europe, the Irish watchdog said Tuesday.
The company has said that after discovering the bug, it alerted the FBI and regulators in the U.S. and Europe.
The hack involved three distinct bugs in Facebook’s “View As” feature, which let people see how their profiles appear to others. The attackers used the vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the “View As” feature. The attack then moved from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
