Facebook parent Meta is facing a legal challenge from digital rights group Digital Rights Ireland (DRI) over a significant data-scraping breach that resulted in a €265 million penalty for Facebook under the European Union’s General Data Protection Regulation (GDPR) last year.
DRI is challenging Ireland’s Data Protection Commission (DPC) ruling, in which the lead data protection regulator in the EU said that no security breach occurred. Instead, the DPC found that Meta had breached the GDPR’s requirement for data protection by design and imposed a fine.
However, since no security breach of processing under Article 32 of the GDPR was found, Meta was not required to notify the 100 million EU-based Facebook users whose information was exposed and posted to online forums by unknown “malicious actors”.
Instead, Meta got the option to pay a fine totalling a tiny fraction of its revenue to make the issue go away. The malicious actors obtained Facebook user data by abusing an unsecured contact importer feature offered by Facebook until September 2019.
This feature allowed large sets of phone numbers to be uploaded, which enabled the malicious actors to match phone numbers with Facebook profiles and collect a massive dataset of individuals.
In most cases, the data included phone numbers, names, genders and Facebook IDs that were later found exposed online.
Data sets containing linked names, phone numbers and social media profile information offer a “treasure trove” for fraudsters looking to target people, according to DRI.
The total number of affected Facebook users is estimated to be around 533 million worldwide, meaning that the EU component of the data-scraping breach is just the tip of the iceberg.