The April 2021 leak exposed the phone numbers, locations, and birthdates of Facebook users on the platform from 2018 to 2019.
Ireland’s Data Protection Commission hit Meta with a €265 million fine (about $276 million USD) after an April 2021 data leak exposed the information of more than 533 million users. The DPC started the investigation shortly after news of the leak broke and involved an examination into whether Facebook complied with Europe’s General Data Protection Regulation (GDPR) laws.
The leaked information, spotted by Insider, was posted to an online hacking forum and included the full names, phone numbers, locations, and birthdates of users on the platform from 2018 to 2019. At the time, Meta said the bad actor obtained the information through a vulnerability that the company fixed in 2019 and that this was the same information involved in a prior leak reported by Motherboard in January 2021.
This marks the third fine the DPC imposed on Meta this year. In March, the DPC fined Meta $18.6 million USD for bad record-keeping in relation to a series of 2018 data breaches that exposed the information of up to 30 million Facebook users. The European regulator also slapped Meta with a $402 million fine in September following an investigation into Instagram’s handling of teenagers’ data.
Meta has been fined nearly $700 million by the DPC in 2022 — and that doesn’t include the $267 million fine WhatsApp incurred for violating Europe’s data privacy laws last year. In a statement obtained by Newstalk reporter Jess Kelly, an unidentified Meta spokesperson said:
We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.
Meta didn’t immediately respond to The Verge’s request for comment. The company highlighted what it does to combat data scraping in a blog post from last year, noting that it tasks its External Data Misuse (EDM) team with detecting, blocking, and preventing scraping.