Meta has been fined $263.5 million (Euro251 million) by Ireland’s Data Protection Commission (DPC) for a 2018 Facebook security breach that exposed the sensitive data of 29 million users globally.The breach exploited a vulnerability in Facebook’s “view as” feature, which allows users to view their profiles as others would see them.The exploit enabled unauthorized access to personal information, including full names, contact details, locations, workplaces, dates of birth, religions, genders, and even data related to users’ children, according to the DPC.Meta had reported the incident to the Irish regulator after its discovery and took immediate steps to address the issue.Despite this, the DPC cited several violations of the European Union’s General Data Protection Regulation (GDPR), highlighting the risks associated with the exposure of such personal data.This latest penalty adds to a series of GDPR fines against Meta, bringing the total to over $3 billion.Meta has said it will appeal the decision, according to Reuters, emphasizing the measures it has implemented to safeguard user data since the incident. Analysts say Meta’s fine serves as a stark reminder for companies operating in the EU to prioritize data protection as a critical business obligation.The penalty underscores growing regulatory scrutiny and the importance of aligning with the GDPR. Experts warn that compliance requires more than meeting minimum legal standards, urging businesses to embed data protection into system design, establish robust incident response protocols, and ensure transparency in their security measures.”Simply put, companies are bound by laws, and as juristic persons, complying with GDPR is no longer optional but a governance imperative,” said Thomas George, president of Cybermedia Research. “Organizations are now expected to invest heavily in compliance and foster a culture shift towards data protection. The GDPR fines against giants like Meta confirm a growing trend toward stricter enforcement of data privacy regulations.”For CIOs and CTOs, the message is clear, data protection must be a foundational consideration for all business operations, not an afterthought.”Organizations must urgently adapt by implementing well-defined data management policies and robust user consent management systems to meet these heightened regulatory standards,” George added. “It also serves as a reminder of the significant financial and reputational costs that can result from non-compliance.”
Need for secure by design
While GDPR provides a robust framework for managing data privacy, experts also argue that mere compliance may fall short of addressing the root causes of data breaches.The complexity of modern cyber threats demands a proactive approach that extends beyond regulatory mandates, emphasizing prevention as much as response.”While GDPR does have a mandate on timely notification of breaches, that itself is not enough,” said Keith Prabhu, founder and CEO of Confidis. “Privacy needs to be taken care of during the design phase as well to prevent data breaches. â Whether you need to comply with GDPR or any other privacy regulation, robust data breach notification and incident management processes are not optional. Without these, organizations will not only face fines but also business in the long term.”This emphasis on privacy by design highlights a shift in mindset for organizations. Instead of treating compliance as a box-ticking exercise, businesses would have to integrate privacy safeguards into their core processes and technology architectures.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3627299/meta-hit-with-263-million-fine-in-europe-over-2018-data-breach.html
