It was only a matter of time before the verdict fell, but Facebook has just been condemned for “negligence” leading to a hack. If the facts occurred in 2018, it is at the end of December 2024 that the Irish Data Protection Commission has just given the end to this story.
As a reminder, in September 2018, the world discovered with horror that a cyberattack had hit the number 1 social network, Facebook. 29 million accounts were hit, with theft of personal data on a scale rarely seen at the time.
If this hack did not affect Europe much (3 million people out of the 29 million victims), it was enough for the DPC (the Irish Data Protection Commission) to step up to the plate . Facebook being hosted in the country (for tax reasons) it was the only legitimate institution to attack the social network for its operating defects.
Because according to the conclusions of the DPC, this hacking could have been avoided. For Graham Doyle, head of communications for the Irish regulator, this court decision “ shows how failing to integrate data protection requirements throughout the design and development cycle can expose people to very serious risks and harm “.
A record fine
So, six years after this hack, Facebook has just been fined 251 million euros. This may seem like a lot, but for a company like this, it’s actually a small amount considering the billions of dollars raised every year.
It is important to note that this record fine, despite its amount, could never have seen the light of day without the adoption, a few months before the attack, of the GDPR. This regulation, which requires digital giants to secure users’ personal data, has been hampered according to the DPC.
Meta disputes and appeals
However, this vision of things does not please the Meta group at all. The parent company of Facebook has also announced that it will appeal the court decision. In a press release defending its version of the facts, Facebook says it is as much a victim as the people robbed.
The social network also ensures that it took “immediate measures to resolve the problem” as soon as it was identified. A version contradicted by the DPC, which ensures that the bug causing this hack remained online for at least 14 days.
