Meta has been hit with a €265 million ($277 million) fine for failing to prevent millions of Facebook users’ mobile phone numbers and other data from being scraped and dumped online, Independent.ie has reported. It’s the second fine levied by the Irish Data Protection Commission (DPC) in just the past few months, following a €405 million ($402 million at the time) penalty issued in September. In just the last 18 months, Meta has tallied nearly €1 billion in fines.
The penalty was issued in response to the leak of 533 million Facebook users’ data reported in April last year. That included phone numbers, birth dates, email addresses and locations, information that could be exploited in phishing and other attacks. The private information of sitting judges, prison officers, social workers, journalists and others were posted online, the DPC said.
At the time, Meta blamed the attack on “bad actors,” but Ireland’s regulator said the company failed to comply with GDPR obligations of “data protection by design and default.” It wrote in a news release that other data protection authorities in the EU “agreed with the decision of the DPC.”
Meta confirmed to the The Wall Street Journal that the flaw had been patched back in 2019. The company said that it will review DPC Ireland’s decision, but has not yet decided whether to appeal. “Unauthorized data scraping is unacceptable and against our rules,” the spokesperson added.
Last year, the DPC fined Meta’s WhatsApp €225 million ($267 million) for not providing details of how it shares European Union users’ data with Facebook. It was also hit with a €17 million ($18.6 million) fine over 12 separate data breaches, and penalized €405 million ($402 million) for its handling of children’s privacy settings on Instagram.