This article is more than 1 year old

Meta fined $275m after data-scraping fiasco leaked 533m Facebook users' profiles

Irish eyes aren't smiling

Ireland's data privacy agency today said it fined Meta €265 million ($275 million) for failing to protect users' data after millions of Facebook users' phone numbers and other private info was given away online for free. 

The country's Data Protection Commission (DPC) also ordered the social media giant to implement a "range of corrective measures" to comply with Europe's GDPR, which requires companies to protect data "by design and default."

DPC did not immediately respond to The Register's inquiries about what corrective measures Meta must undertake.

A Meta spokesperson declined to say if the company planned to appeal the decision to the Irish courts. "We are reviewing this decision carefully," the spokesperson told The Register.

"Protecting the privacy and security of people's data is fundamental to how our business works," the Meta spokesperson said, adding that the company "cooperated fully" with Ireland's DPC. 

"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers," the spokesperson added. "Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge."

Between May 2018 and September 2019, miscreants exploited a security shortfall in Facebook to scrape personal information including phone numbers, locations, email addresses, birthdays, and marital status from 533 million people's profiles. 

Crooks then offered all of the personal data for free on a cybercrime forum, which sparked the DPC investigation in 2021. 

"The commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service, or whether any provision(s) of the GDPR and/or the Data Protection Act 2018 have been, and/or are being, infringed by Facebook in this respect," Ireland's data privacy agency said at the time.

The DPC's data-scraping decision comes less than a week after a US District Court judge ruled in Meta's favor against a Belarusian developer who allegedly used a network of bots and Instagram accounts he controlled to deliver millions of automated likes to his customers' accounts.

On Wednesday, Judge William Alsup also ordered Nikolay Holper to pay Meta damages just under $200,000: $100,000.00 in statutory damages for cybersquatting; $89,351.00 in attorney's fees; and $10,184.44 in costs – totaling $199,535.44. ®

More about


Send us news

Other stories you might like