Meta fined €265M for allowing scrapers to steal Facebook's centralized user data

cointelegraph.com:

The Irish Data Protection Commission (DPC) announced on Nov. 28 that it has fined Facebook developer Meta €265m for breach of the European Union’s General Data Protection Regulation (GDPR). Specifically, the commission stated that it had fined Meta for failing to design Facebook in such a way that it would protect users from data breaches.

The announcement followed a more than year-long investigation that began in April, 2021. The breach itself occurred even earlier, in late 2019.

Data Protection Commission announces decision in Facebook “Data Scraping” Inquiry: https://t.co/xW9nVqiJ2Y pic.twitter.com/6iDYnyVk5R

The data breach was first discovered when a Tech Crunch report revealed that hundreds of millions of Facebook users’ phone numbers were listed in a publicly-accessible database online. Although the database was later taken down by the web-host, its existence revealed that Facebook’s data had been breached.

In April, 2021, the DPC began investigating the breach. At the time, Meta posted a statement about the breach called “The Facts on News Reports About Facebook Data.” Meta claimed that an attacker had used its contact importer tool to spam the server with phone numbers to see which ones had Facebook accounts associated with them.

Each time the attacker got a response, they were able to gain the personal details of the user and match these details up with the users’ phone number. As a result, users’ personal data had been leaked to malicious actors.

In the statement, Meta claimed that it had patched this contact importer vulnerability once the breach was discovered and that the tool was now safe.

According to the new DPC statement, it found “infringement of Articles 25(1) and 25(2) GDPR” due to this incident and “has