There’s some bad news for Meta, in the form of a $277 million fine related to a data breach which impacted no fewer than 500 million users. The fine, issued by the Irish Data Protection Commission, is a result of the fallout from scraped data posted to a hacking forum in 2019. As The Guardian notes, this brings the current running tally of fines to close to a billion dollars in fines from the EU since September 2021. How did we arrive at this increasingly spectacular figure?
Making contact in the worst way possible
It all went wrong for Meta this time around thanks to a Contacts Import tool, designed to connect phone numbers with Facebook IDs. Attackers figured out a way to scrape user information and then used it to build up a profile of the users.
This data eventually worked its way onto the forum. It contained a wealth of data including name, gender, DOB, mobile number, emails, and more.
From the Data Protection Commission website statement:
“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.”
Which articles were infringed?
Article 25(1) and Article 25(2) are the rules where Meta found itself in hot water with the DPC, which are summarised below:
“…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
This infringement of the GDPR articles was enough to eventually result in the eye-watering fine given to Meta. Quite the blow, considering it wasn’t so long ago that a $419m fine was applied as a result of breaches of children’s privacy rights on Instagram.
Scrape it to make it
Scraping data remains a major thorn in the side for social networks and other sites responsible for the safety of user data. Just recently, Twitter has felt the fallout of scraped user data which includes phone numbers and email addresses. Elsewhere, LinkedIn is going legal to prevent users scraping data only available for logged in members.
Will these fines have any lasting impact on social media giants to change behaviour and proactively shore up the defences which are breached time and again? Or will the increasingly visible phrase “Just the cost of doing business here” become the norm as big business sets aside large amounts for a rainy and fine laden day?
We have to hope it’s the former and not the latter, because the last thing we need to see creeping in against the onset of large fines is complacency. It’s crucial that companies entrusted with our data do everything possible to prevent the scraping of data, from tools specifically about making data connections in the first place.
Credits: Malware Bytes Lab