Resources

Inquiries into Meta Platforms Ireland Limited (Token Breach) – December 2024

(IN-18-10-1 and IN-18-11-1)

Date of Decisions: 12 December 2024

On 12 December 2024, the Irish Data Protection Commission (‘DPC’) adopted final decisions in two own-volition statutory inquiries reprimanding Meta Platforms Ireland Limited (‘MPIL’) and imposing administrative fines. The DPC opened the inquiries in response to a personal data breach reported by MPIL (then known as Facebook Ireland Ltd) in September 2018. The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (‘GDPR’).

The decisions considered aspects of the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the EU as given effect in the GDPR, including the controller’s obligation to report and maintain records of breaches, and to implement measures to protect personal data both by design and default.

Background to the Inquiries

The breach arose from MPIL’s use of user tokens in connection with certain features on the Facebook platform. User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and personal data of the user and their contacts. In 2017 MPIL introduced a new video uploading feature. When used in conjunction with Facebook’s ‘View As’ feature (which allows a user’s page to be viewed as another user would see it) and the ‘Happy Birthday Composer’, the video uploader would generate a fully permissioned user token that gave full access to the Facebook profile of that other user. That token could then be used to exploit the same combination of features on other accounts, allowing access to multiple users’ profiles and the data accessible through them. Between 14 and 28 September 2018 unauthorised persons used scripts to exploit this vulnerability and gained access to approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. Facebook security personnel were alerted to the vulnerability by an anomalous increase in video upload activity and removed the functionality that caused the vulnerability shortly thereafter. MPIL notified the DPC of the breach on 28 September 2018.

The DPC commenced inquiries to investigate compliance with aspects of the GDPR.

Summary of Findings: IN-18-10-1

 Number

 Article of the GDPR

 Findings

 1

Article 33(3)

MPIL’s breach notification did not include information about the breach that MPIL could and should have included. This included information on the nature of the breach, categories of data subjects affected by the breach, the categories of personal data records affected by the breach, and the likely consequences of the breach.

 2

Article 33(5)

MPIL failed to create a contemporaneous documentary record of the facts relating to the breach.

 

Summary of Findings: IN-18-11-1

Number

Article of the GDPR

Findings

1

Article 25(1)

MPIL failed to implement appropriate technical and organisational measures to ensure that processing was secure against attack and upheld the integrity and confidentiality principles. Separately from the vulnerabilities specifically attributable to the tokens, MPIL failed to make use of alternative and more appropriate measures to ensure that, by design, processing met the required standards of data protection.

2

Article 25(2)

In the context of the processing for which they were deployed, the tokens deployed by MPIL gave unnecessarily broad access to personal data of Facebook users. This failure to ensure that only personal data necessary for the specific purpose of the processing were processed infringed the principle of data protection by default.

 

Corrective Measures

Where the DPC makes a decision under section 111(1)(a) of the Data Protection Act 2018, it must also make a decision under section 111(2) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and if so, the corrective power to be exercised.

Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:

  • a reprimand, pursuant to Article 58(2)(b) GDPR, regarding the infringements identified in the Decision; and
  • administrative fines totalling €251 million, as follows:
    1. In respect of MPIL’s infringement of Article 33(3) GDPR, a fine of €8 million.
    2. In respect of MPIL’s infringement of Article 33(5) GDPR, a fine of €3 million.
    3. In respect of MPIL’s infringement of Article 25(1) GDPR, a fine of €130 million.
    4. In respect of MPIL’s infringement of Article 25(2) GDPR, a fine of €110 million

The purpose of the reprimand is to formally recognise the serious nature of the infringements in order to deter future similar non-compliance by MPIL and other controllers or processors carrying out similar processing operations. The infringements concerned the personal data of millions of Facebook users. Furthermore, the DPC found both infringements contributed to a risk of fraud, identity theft and spamming in respect of the data subjects, including children and other vulnerable persons.

In deciding to impose administrative fines totalling €251 million, the DPC gave due regard to the factors set out in Article 83(2) GDPR. The DPC also considered that the administrative fines met the requirements set out in Article 83(1) GDPR of being effective, proportionate and dissuasive.

Before adopting the Decisions, the DPC submitted drafts of them to the other European data protection supervisory authorities (‘Concerned Supervisory Authorities’ or ‘CSAs’) in September 2024, as required by Article 60(3) GDPR. The CSAs did not raise any objections under Article 60(4) GDPR to the draft decisions. Three comments were received from CSAs with regard to each of the draft decisions. The DPC had due regard to these comments, and to final submissions by MPIL, when finalising the Decisions for adoption.

 

The full decision IN-18-10-1 is now available for download (36MB, PDF).

The full decision IN-18-11-1 is now available for download (36MB, PDF).