Meta fined €265M for allowing scrapers to steal Facebook's centralized user data
The Irish Data Protection Commission (DPC) announced on Nov. 28 that it has fined Facebook developer Meta €265m for breach of the European Union’s General Data Protection Regulation (GDPR). Specifically, the commission stated that it had fined Meta for failing to design Facebook in such a way that it would protect users from data breaches.
The announcement followed a more than year-long investigation that began in April, 2021. The breach itself occurred even earlier, in late 2019.
Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry: https://t.co/xW9nVqiJ2Y pic.twitter.com/6iDYnyVk5R
— Data Protection Commission Ireland (@DPCIreland) November 28, 2022The data breach was first discovered when a Tech Crunch report revealed that hundreds of millions of Facebook users’ phone numbers were listed in a publicly-accessible database online. Although the database was later taken down by the web-host, its existence revealed that Facebook’s data had been breached.
In April, 2021, the DPC began investigating the breach. At the time, Meta posted a statement about the breach called “The Facts on News Reports About Facebook Data.” Meta claimed that an attacker had used its contact importer tool to spam the server with phone numbers to see which ones had Facebook accounts associated with them.
Each time the attacker got a response, they were able to gain the personal details of the user and match these details up with the users’ phone number. As a result, users’ personal data had been leaked to malicious actors.
In the statement, Meta claimed that it had patched this contact importer vulnerability once the breach was discovered and that the tool was now safe.
According to the new DPC statement, it found “infringement of Articles 25(1) and 25(2) GDPR” due to this incident and “has imposed administrative fines totalling €265 million.”
The use of personal data in social media apps has become controversial in recent years as data breaches have become commonplace.
Several blockchain companies have attempted to solve the problem by creating blockchain social media apps that do not require users to give out their email addresses or phone numbers. For example, both Bitclout and Blockster are social media apps that allow users to sign in with just an Ethereum wallet.
Ethereum Developers have also offered a proposal, called “EIP-4361,” to standardize the wallet login process across all apps. Supporters believe this could eliminate the need to ask users for sensitive personal information in social media apps, which could help to prevent breaches like this in the future.