The Irish Data Protection Commission (DPC) today concluded an inquiry into Meta Platforms, over a Facebook data breach that occurred in 2018/2019. The inquiry was spurred by media reports about the discovery of a subset of Facebook personal data that had been leaked to the Internet.
The DPC examined whether there had been any breaches of the GDPR regulations leading up to the data breach. This included checking on technical and organizational measures the company deployed as part of its duty of care.
The investigation was completed in collaboration with all the other data protection agencies in the EU. Each of those authorities agreed with the Irish findings. The decision states that infringement was indeed found. As a result, the agency imposed a reprimand, and an order requiring that Meta brings its data processing into compliance by taking remedial action.
The company has been given a ‘particular timeframe’ to comply, but in the meantime, Meta has been fined a total of €265 million in administrative penalties.
The data leak exposed the personal details of more than 500 million users, including full names, phone numbers, locations and birthdays of people who used the Facebook platform for the period 2018 to 2019. This fine is the third that has been levied on Meta this year alone.
In March, the DPC fined the company $18.6 million, again for 2018 data breaches that leaked the personal details of some 30 million Facebook users. EU regulators also imposed a $402 million fine two months ago for lapses in the way Instagram handled teenager’s data. These fines are on top of the $276 million WhatsApp incurred last year for more data privacy violations.
Meta Subject To Data Scraping Attacks
Many of these breaches appear to relate to the unauthorized automated scraping of data from the Facebook platform, without company knowledge. Under the terms of the GDPR, it is the responsibility of any company holding personal information for its users to protect that data securely and adequately. Failure to do so leaves the company open to recurring fines, which is what has happened in these cases.
Meta has outlined in detail, the steps it is taking to tackle the problem of scraping. The company claims to have a team of 100 people, including data scientists, analysts and engineers, who are focused on the task of detecting and blocking automated data scraping.
There are a number of conventional processes and tools which can be used to combat this kind of attack. Rate limiting and data limits throttle back the amount of data an attacker can download. This has the effect of making the attack too cumbersome to be worthwhile.
The other parts of the toolkit are typically confidential, but normally will include detecting suspicious behavior and activity patterns which are associated with data scraping. Once that’s done, the attackers can be blocked from further access. Finally the team use the full extent of any legal options to issue cease and desist orders, or request hosting servers to remove the data before any major harm is done.
It is unfortunate that these facilities weren’t already tightened up before the company suffered the numerous breaches of its systems. Hopefully, the gaps have been closed as much as possible now, and the fines serve as notice that personal data privacy is a key mandate in the management of user data for the future.