Meta fined $276 million dollars for not protecting its user data from scrapers

The social media giant ‘Meta‘ has been fined €265 million ($275.5 million) by the Data Protection Commission of Ireland. The fine comes after a massive leak of Meta’s data exposing the personal data of millions of users worldwide.

This brings the DPC’s investigation on the potential GDPR violations by Meta that was first filed on April 14, 2021 once the data of 533 million Meta  users were disclosed on a hacker forum.

The data exposed had details on mobile number, Facebook ID, gender, location, occupation, dates of birth, name, relationship status and email address.

Meta fined for not fixing their anti-data extraction mechanism

A disclosure of this sensitive data on a hacker forum was an invitation to malicious threat actors to use the data for further infiltration and attacks.

As per Meta, the data has been exploited and stolen by hackers using a flaw in their Contact Importer tool to match mobile numbers with a Facebook profile/ID, and further improving the same for complete profile.

Albeit mentioning that the bug has been fixed in 2019, Meta did collect users data before that, and after investigation from DPC it was found that Meta infringed Article 25(1) and 25(2) of GDPR,

Here’s what the Article 25(1) and 25(2) states,

• Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (source: GDPR)
• 1The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. (source: GDPR)

Data Scrapers and their data accumulation manipulation

Data Scrapers are bots that manipulate the open APIs from various platforms to extract data that is publicly available and accumulating volumes of data to form user profile databases.

However, as per Meta the hackers exploited the Contact Importer from Facebook and Instagram to match the phone numbers with their publicly scraped data giving them access to create profile containing private and public data.

Linkedin also faced a similar situation recently and made a legal proceeding to prevent data scraping on their platform to prevent its user data extraction.

Regarding the stance of DPC on Meta’s data leakage incident, since DPC is considered to be a spearhead of GDPR Compliance other data protection authorities may scrutinize things further by making sure the data controllers making them to reevaluate their anti-scraping mechanisms.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.