Facebook has been fined by the Ireland's Data Protection Commission (DPC) for €265 million. The reason is the failure of Meta Platforms to safeguard the personal data of more than half a billion users of its Facebook service. This verdict concluded an inquiry initiated by the European regulator on April 14, 2021, caused by a leak of Facebook personal data that had been made available on the internet.
Five hundred thirty-three million Facebook users were affected with such data as phone numbers, dates of birth, locations, email addresses, gender, marital status, account creation date, and other profile details exposed. Meta acknowledged that some of the "old data" was obtained through "phone number enumeration" used to scrape users' public profiles using a tool called "Contact Importer."
It was just one huge fine among many others which hit Zuckerberg's business over the last few years: in 2021, WhatsApp was fined €225 million for the lack of transparency about how users' personal information is gathered and used, and this September, Instagram suffered a fine of a whopping €405 million for violating the EU General Data Protection Regulation (GDPR).
Facebook already took some countermeasures, such as removing the ability to use phone numbers to retrieve information, as well as expanding a bug bounty program to reward valid reports of scraping vulnerabilities across its platforms and include reports of scraping datasets that are available online.
The total amount of fines inevitably leads to a question of whether Meta could have saved if took all the precautions timely. Sure, it could have, and this is a lesson all businesses should take into account: data leaks and breaches are cheaper to prevent than to remediate and compensate, and not only for large enterprises, btw.
Different jurisdictions are becoming harder on companies failing to protect their sensitive business data. For example, Australia has just announced that companies failing to protect personal data adequately could face fines of $50 million or more under new legislation to be introduced next week. It is a global trend, as governments are set to make enterprises, SMBs, and public institutions prevent breaches before they happen.
Meta can afford very big fines. But not every business can, especially one in a highly competitive environment, which doesn't quite exist for Meta. You can get breached, suffer a leak, settle all legal issues, and yet, lose customers that would switch to your competitors. So, the price of breach eventually becomes unsustainable for the business.
To know what a GDPR violation fine for an average business might be, just look at this tracker: https://www.enforcementtracker.com. Note that this is not a complete list, as not all fines for GDPR violations are made public. To spare your time, here are some of the recent fines:
Clearview Al Inc. was fined €20 million for insufficient fulfillment of data subjects' rights.
Easylife Ltd was fined €1,6 million for an insufficient legal basis for data processing.
Setúbal municipality, Portugal, was fined €180K for non-compliance with general data processing principles.
The array of reasons for possible GDPR fines is quite wide and includes among other things: processing personal data without valid consent; not responding to data subject’s requests to exercise their data privacy rights; failure to implement required data security measures to breaches, leaks, etc. We at #SEKURNO provide various solutions and services aimed at minimizing data loss, financial, and reputational risks, such as:
Implement Information Management Security Systems (ISMS) based on requirements of ISO27001 and other standards, and help get certified.
Help achieve and maintain GDPR Compliance.
Evaluate risks connected with third parties, such as assessment of their security posture and more.
Help bring secure by design best practices into the development of software (SSDLC) to eliminate possible bugs and vulnerabilities before its release.
Design and implement endpoint and network security and monitoring solutions
Identify sensitive data and implement data loss prevention (DLP) solutions.
Let's handle it wisely. Book a call with us for a brief call to discover how we can protect you from cybersecurity risks.