Tuesday, December 24, 2024

Irish Data Protection Commission (DPC) fined Meta for failing to prevent data scraping from Facebook users

The Irish Data Protection Commission (DPC) has fined Meta €265 million ($275.5 million) for the data leak that Facebook experienced in 2021 that exposed the data of millions of Facebook users.

Additionally, Meta is being subject to a number of corrective measures from the Data Protection Commission.

The Meta Platforms Ireland Limited (MPIL), the data controller for the social media network “Facebook,” was the subject of a Data Protection Commission (DPC) investigation that was concluded today with a €265 million fine and a number of corrective actions being taken. reads the press announcement from the DPC.

A hacker forum user published 533 million Facebook users’ phone numbers and personal information for free online on April 3, 2021.

The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.

The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.

“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”

Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.

Recommended:  What is identity theft? and 5+ Ways to prevent it

“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.

Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.

After learning about the data loss, the Irish DPC immediately began looking into any GDPR violations by Meta. Threat actors used a vulnerability addressed in 2019 that permitted data scraping from the social network to gather the data.

“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”

Now that the inquiry is complete, DPC claimed that Meta had broken the GDPR by failing to implement the proper organisational and technical safeguards and by not adopting the necessary protections as required by the European Regulation.

The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.

Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.

Recommended:  Spotify Accounts Hacked by Credential Stuffing Based on Stolen Database

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security