Meta has been fined €251 million (A$415.5 million) in the European Union for a security breach that affected millions of users in September 2018.
The penalty was issued by Ireland’s Data Protection Commission (DPC) who issued their decisions on two inquiries on Tuesday.
The first decision covers Meta’s breach notification, as the General Data Protection Regulation (GDPR) requires prompt and comprehensive reporting of such security matters. The second concerns data protection by design and default.
Meta was fined €11 million in relation to the first decision as the DPC notes the company did not include all the information it should have or fully document facts and take steps to remedy the issue.
The second decision set Meta back €240 million as the DPC confirmed the company violated the GDPR principles of data protection.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” DPC deputy commissioner, Graham Doyle said in a statement.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.”
The fine is in relation to a breach that Meta disclosed back in 2018 where around 29 million users' full names; email addresses; phone numbers; locations; places of work; dates of birth; religions; genders; posts on timelines; groups of which a user was a member; and children’s personal data.
This occurred through a bug that allowed unauthorised third parties to tokens onto the Facebook platforms. The tokens were used to obtain login information to Facebook accounts.
At the time of publication, Meta Platforms Inc. (NASDAQ: META) has a stock price of US$619.44. Its market cap is approximately $1.56 trillion.