The Data Protection Commission (DPC) has fined Facebook owner Meta Platforms €265m for a data breach that saw the phone numbers and personal data of 533m users leaked online last April.
The data watchdog imposed the fine and a range of corrective measures on Meta Platforms Ireland Ltd (MPIL), the social media giant's main Irish subsidiary, which serves as the company's European headquarters.
Meta, then known as Facebook Inc, said at the time of the reports that "malicious actors" had obtained the data prior to September 2019 by "scraping" profiles using a vulnerability in its tool to sync contacts.
Scraping is an automated process whereby software is used to copy information from the internet and distribute widely.
Meta said it had identified the issue at the time and modified the tool, adding that it was "confident that the specific issue that allowed them to scrape this data in 2019 no longer exists".
The DPC said it commenced the inquiry on 14 April following reports of the breach and that it had examined and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland between May 2018 and September 2019.
The commission said Facebook had failed in its obligations under the Data Protection by Design and Default section of the EU's GDPR legislation.
"The DPC examined the implementation of technical and organisational measures pursuant to Article 25 GDPR (which deals with this concept)," the regulator said in a statement.
"There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.
"The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265m on MPIL."
The latest fine brings total value of fines issued against the company in the past 14 months to €910m, and it is the fourth sanction against Meta by the DPC, which effectively acts as the EU's data protection watchdog, since 2018.
DPC fined Meta €405m in September for violations of children's privacy on Instagram, and €225m in September 2021 for "severe" breaches of privacy law by WhatsApp.
“We have co-operated fully with the Irish Data Protection Commission on this important issue,” a Meta spokesperson said in a statement.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers."
Meta recently announced some 350 job cuts in Ireland as part of a wider cull of 11,000 positions that will see the tech giant reduce its headcount by some 13%.
(Pic: Getty Images)