Ireland’s data privacy regulator has fined Meta roughly $275 million for failing to prevent a 2019 data breach that affected more than 500 million Facebook users.

According to Ireland’s Data Protection Commission (DPC), the agency commenced the inquiry in April 2021, after Business Insider reported that a dataset of Facebook personal data had been leaked. The inquiry alleged that Meta had violated Europe’s data privacy law, the General Data Protection Regulation (GDPR).

“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU,” the DPC said. “Those supervisory authorities agreed with the decision of the DPC.” The decision to impose the fine was made last Friday, the commission said.

The decision imposed a reprimand and an order requiring Meta Platforms Ireland Limited to bring its processing into compliance by taking a range of security actions within a timeframe, as well as administrative fines totaling $275 million ( €265 million). 

Since the fall of 2021, Ireland’s data privacy regulator has hit Meta with a total of 912 million euros in fines, according to CNN. Earlier this year, Meta received a 405 million euro fine over Instagram’s handling of children’s data, the second-largest GDPR fine in history. In March 2022 and September 2021, other penalties led to fines of 17 million euros and 225 million euros, respectively.

“Protecting the privacy and security of people’s data is fundamental to how our business works,” Meta said in a statement. “We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorized data scraping is unacceptable and against our rules, and we will continue working with our peers on this industry challenge.”

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, says, “As we have seen from other recent fines against tech companies, regulators in Europe, especially European Union member countries, take privacy seriously. Much more so than regulators in the US do. Given Meta’s history with user data privacy, it seems they got off reasonably light.”

“Companies that are used to operating with minimal concern for user data privacy need to understand that we’ve been moving towards stronger protections and user rights for some time, especially in Europe,” Parkin adds. “If they aren’t making good faith efforts to protect that user data, they may face serious financial impacts if threat actors manage to get it. The fines are even worse when the organization isn’t making an effort to comply with the regulations and loses data to simple web scraping.”

According to Piyush Pandey, CEO at Pathlock, the fine should be a very expensive reminder to organizations that house any type of sensitive data “customer, patient, employee, company, etc. - that access policies with fine-grained entitlements should be the norm, not the exception.”