Meta was fined 265 million euros ($275.5 million) by the Irish Data Protection Commission (DPC) over a massive Facebook data breach in 2021 exposing the information of hundreds of millions of people. users around the world.

This concludes the The DPC investigation of potential GDPR violations by Meta, launched on April 14, 2021, following the publication of data belonging to 533 million Facebook users on a hacker forum.

The data exposed included personal information, such as mobile phone numbers, Facebook IDs, names, genders, locations, relationship statuses, occupations, birth dates and email addresses.

All of this data was shared on a well-known hacking forum, allowing threat actors to use the data for targeted attacks.

Facebook at the time said the threat actors collected the data by exploiting a flaw in its “Contact Importer” tool to associate phone numbers with a Facebook ID, then scraping the rest of the information to create a profile. for the user.

The platform said it fixed the bug in 2019 and the data was collected before that.

DPC’s investigation concluded that Meta (then Facebook) breached Articles 25(1) and 25(2) of the GDPR, summarized as follows:

• 25(1) – The controller shall implement appropriate technical and organizational measures, such as pseudonymisation, and incorporate the necessary safeguards into the processing to meet the requirements of this Regulation and to protect the rights of data subjects.
• 25(2) – The controller implements appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for each processing purpose are processed. In particular, these measures ensure that, by default, personal data is not made accessible without the intervention of the individual to an indefinite number of natural persons.

“There has been a comprehensive investigation process, including cooperation with all other data protection supervisory authorities within the EU,” reads the DPC announcement.

“These supervisory authorities approved the decision of the DPC.”

Data recovery

Data scrapers are automated robots that leverage the open network APIs of platforms that contain user data, such as Facebook, to extract publicly available information and create massive databases of user profiles.

Although no hacking is involved, the datasets collected by scrapers can be combined with data from multiple points (sites), creating comprehensive profiles about users, thus making them tracked by marketers or the much more effective targeting of threat actors.

However, in the case of Meta, threat actors used a flaw in the contact importer on Facebook and Instagram to link phone numbers to this publicly retrieved information, allowing them to create profiles containing private information and public.

Scraping is against the policies of most online platforms, but enforcing those rules is technically complicated, as was recently highlighted with TikTok and WeChat.

LinkedIn took things to court to prevent scraping of data on the platform, by obtaining an injunction against legal scrapers and preventing them from using the data they have already collected in this way.

The DPC is considered the spearhead of GDPR compliance in the EU due to many tech companies operating from Ireland. His decision is therefore bound to create turbulence for other big data controllers, forcing them to re-evaluate their anti-scraping mechanisms.