Meta has been fined roughly $275 million by Ireland’s data privacy regulator for failing to prevent hackers from siphoning off personal information from more than 500 million Facebook users in a 2019 data leak.
Monday’s announcement marked the fourth time in about a year that Facebook (FB)’s parent company has been penalized by the Irish Data Protection Commission, the chief privacy regulator overseeing Meta’s operations in Europe. The decision to impose the fine was made last Friday, the commission said.
Since the fall of 2021, Ireland’s DPC has slapped Meta with 912 million euros in fines, going after the social media titan and its other subsidiaries, Instagram and WhatsApp, for alleged violations of Europe’s signature data privacy law, known as the General Data Protection Regulation (GDPR).
Earlier this fall, Meta was hit with a 405 million euro fine over Instagram’s handling of children’s data, the second-largest GDPR fine in history. Other enforcement actions, in March 2022 and September 2021, led to fines of 17 million euros and 225 million euros, respectively.
In a statement Monday, a Meta spokesperson said it was reviewing the DPC’s decision “carefully” and that it had cooperated fully with the agency’s investigation.
The probe began last April after Business Insider reported that more than half a billion Facebook users’ details had been posted on an underground hacker website. At the time, Facebook said malicious actors had abused its contact importer tool to match known phone numbers against the profiles of Facebook users before harvesting additional information from their profiles.
“Protecting the privacy and security of people’s data is fundamental to how our business works,” Meta said in Monday’s statement. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”
The Irish DPC’s decision comes amid broad criticism by privacy advocates that regulators have moved slowly and hesitantly to enforce GDPR, which went into effect in 2018.
The largest GDPR fine to date was imposed last year on Amazon (AMZN) for 746 million euros by privacy regulators in Luxembourg who said the way the e-commerce company processes personal data does not comply with the law. Amazon (AMZN) is fighting the penalty.