On November 28th, the Irish Data Protection Commission (DPC) announced Meta was fined 265 million euros ($274.8 million) for violating the EU’s General Data Protection Regulation (GDPR). More specifically, the commission said Meta was fined because it had failed to ensure that Facebook was built to prevent data breaches. A probe that began in April of 2021 led to the announcement. The actual breach happened much earlier, in the latter half of 2019.
Tech Crunch reported initially on the data breach, which exposed the exposure of hundreds of millions of Facebook users’ phone numbers in a searchable online database. Even though the hosting service removed the database, its existence indicated that Facebook’s data had been compromised.
The Irish data protection Commission’s investigation
The DPC started looking into the hack in April of that year. Meta released a statement at the time titled “The Facts on News Reports About Facebook Data” in response to the hack. In this case, Meta claimed that an attacker had used its contact importer tool to flood the server with phone numbers, looking for those that led to Facebook profiles.
With each successful response, the attacker was one step closer to obtaining the user’s personal information by linking it to the user’s phone number. The result was that sensitive information about the users was exposed to bad actors.
The company said it had fixed the contact importer’s security flaw as soon as it was discovered.
A new statement from the DPC claims that the investigation into this incident revealed an “infringement of Articles 25(1) and 25(2) GDPR,” for which “administrative fines totaling €265 million” were levied.
Personal information in social media apps
Recently, as data breaches have become more commonplace, using personal information in social media apps has become controversial. Companies in the blockchain space have responded to this issue by developing social media apps for the platform that don’t ask for personal information like email addresses or phone numbers. For instance, social media apps like Bitclout and Blockster let users sign up using only an Ethereum wallet.
To standardize the wallet login procedure for all apps, Ethereum developers have proposed EIP-4361. Advocates think this could prevent future breaches by removing the incentive for social media apps to request users’ sensitive personal information.