The Irish Data Protection Commission (DPC) has fined Meta €265 million ($275.5 million) for a significant 2021 Facebook data leak that exposed the information of hundreds of millions of users worldwide.
This closes the DPC’s investigation into possible GDPR violations by Meta, which was opened on April 14, 2021, as a result of the posting on a hacker forum of data pertaining to 533 million Facebook users.
Personal information such as phone numbers, Facebook IDs, names, genders, locations, marital statuses, occupations, dates of birth, and email addresses were among the personal data that were exposed. All of this information was made available on a well-known hacker forum, where threat actors could use it to launch targeted attacks.
At the time, Facebook claimed that threat actors had collected the data by using a bug in its “Contact Importer” tool to link phone numbers to Facebook IDs, then scraping the rest of the data to create a user profile. The data was gathered before the platform claimed to have solved the security flaw in 2019.
According to the findings of the DPC’s inquiry, Meta (formerly Facebook) violated Articles 25(1) and 25(2) of the GDPR.
25(1) - The data controller shall implement appropriate technical and
organizational measures, such as pseudonymization, and integrate the necessary
safeguards into the processing to meet the requirements of this Regulation and
protect the rights of data subjects.
25(2) - The controller shall implement appropriate technical and organizational
measures to ensure that, by default, only personal data necessary for each
processing purpose are processed. In particular, such measures shall ensure
that, by default, personal data are not made accessible without the individual’s
intervention to an indefinite number of natural persons.
According to the DPC release, “There was a thorough investigation procedure, including cooperation with all of the other data protection supervisory bodies inside the EU.”
“Those supervisory authorities supported the DPC’s decision.”
Data scraping
Data scrapers are automated scripts / bots that leverage Facebook’s open network APIs and other platforms that store user data to gather information that is already available to the public and build enormous databases of user profiles.
Although there is no hacking involved, the data sets gathered by scrapers can be integrated with information from different sources (sites), building entire profiles of users, enabling tracking by marketers and targeted by threat actors much more effective.
However, in Meta’s case, the threat actors created profiles with both private and public information by using a weakness in the Contact Importer on Facebook and Instagram to link phone numbers with this publicly scraped information.
Most online sites prohibit scraping, but as TikTok and WeChat recently demonstrated, it can be difficult to enforce these regulations due to technical issues.
In order to stop data scraping on the platform, LinkedIn filed a lawsuit. As a result, legal scraper operators were barred from utilising data they had previously acquired in this way and an injunction was obtained against them.
Due to the fact that many IT firms in the EU operate from Ireland, the DPC is seen as the leader in GDPR compliance, therefore its ruling is certain to cause a stir among other major data controllers and force them to rethink their anti-scraping defences.