Facebook owner Meta has been fined €265m (£230m) by Irish regulators.
The Data Protection Commission opened an inquiry into Meta in April 2021, after data from 533 million people in 106 countries was published on a hacking forum having been “scraped” from Facebook years earlier.
The DPC said Meta had breached Europe’s General Data Protection Regulation (GDPR).
Meta says it is “reviewing this decision carefully”.
“Protecting the privacy and security of people’s data is fundamental to how our business works”, an official said.
“That’s why we have cooperated fully with the Irish Data Protection Commission on this important issue.”
Facebook’s search and contact-importing tools for Messenger and Instagram were misused to automatically extract the data between 25 May 2018 and September 2019.
“Because this dataset was so large, because there had been previous instances of scraping on the platform where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” Data Protection Commissioner Helen Dixon told Irish public broadcaster RTÉ.
The fine also reflected “considerable” risks to users, such as:
- the potential for spamming
- text- and email-based phishing attacks
- a loss of control over their data
The feature manipulated to access the data was changed in 2019, after Facebook became aware it was being abused.
The Meta official said the platform had implemented changes to reduce the potential for data to be scraped using phone numbers.
“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge,” the official added.
Two months ago, the DPC issued Instagram, also owned by Meta, a record fine for violating children’s privacy.