The Irish Data Protection Commission (DPC) has fined Meta €265 million ($277 million) for failing to protect users against data scraping, a violation under the General Data Protection Regulations or GDPR.
The data-scraping leak has affected over 533 million users, whose information — like mobile numbers, gender, location, relationship status, occupation, birth dates, and email addresses — was leaked online.
This recent violation marks the fourth time the DPC has charged Meta for breaching European data protection laws. Earlier in September, the Irish regulators found Instagram, a Meta subsidiary, in violation of GDPR’s child privacy laws.
The DPC’s inquiry into the latest data-scraping violation began in April 2021 after cybercriminals shared user information on hacking forums. In response, Meta claimed that web scrapers had harvested this data in 2018 and 2019, and that the company has since strengthened its user information protection policies.
Meta’s GDPR Breach
The inquiry examined Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools. After the investigation, the Irish regulatory authority, which overlooks data protection matters in Europe, slapped the latest fine on Meta.
The investigation found Meta guilty of infringement of GDPR articles 25(1) and 25(2):
|“25(1) — The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.”|
|“25(2) — The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”|
In its statement, the DPC said it worked with EU data authorities to reach its verdict, and that these authorities supported its decision.
A Troubling Track Record
This isn’t the first time that Meta has run afoul of the authorities in regard to data protection laws. In total, DPC has fined Meta nearly €1 billion for the four GDPR violations. And as of yet, the DPC has 13 queries outstanding against Meta.
In July 2022, plaintiffs filed a class action lawsuit in California against Meta, the UCSF Medical Center, and the Dignity Health Medical Foundation. Under the lawsuit, the plaintiffs accused these organizations of collecting users’ sensitive healthcare data for targeted advertising without their consent.
Users first became aware of the tracking when they began seeing advertisements specifically tailored to their medical conditions. Moreover, the claimants alleged that Meta and healthcare providers knew their actions were illegal, yet proceeded anyway.
In another incident involving the infamous Cambridge Analytica, Meta allowed access to the sensitive information of 87 Million users. Meta recently settled that case.
How Do Cybercriminals Exploit Users’ Personal Information?
Often, cybercriminals have only one or two pieces of information to launch attacks. But with the recent data-scraping leak from Meta, they’ll have more than enough data points to launch sophisticated phishing and spoofing attacks. Cybercrooks will use the data to create trust with their victims, and encourage them to click on fraudulent links.
Generally, victims are more likely to fall for a subterfuge when the caller has a lot of information about them. Cybercriminals could, for instance, pose as a government agency and claim they obtained the user’s information “from their records”.
In addition, these actors can perform SIM swap attacks to steal two-factor authentication and one-time passcodes sent via text.
In this recent Meta data-scraping violation, cybercriminals spliced up the scraped information into neat rows and columns. As a result, threat actors could more easily choose their target. The records show the number of affectees by country, with 1.5 million users in Ireland and 32 million in the US.
Initially, such information is bought at a price on the dark web. But over time, it becomes cheaper and cheaper, until it’s eventually available for free.
Data Scraping — Legal or Illegal?
For clarification purposes, it’s important to differentiate between data scraping and hacking. This Meta violation was an incident of data scraping and not hacking, or social engineering. It’s easier to scrape information off a public profile than to hack into it.
During this recent data-scraping violation, cybercriminals scraped information from online public profiles — they did not infiltrate any networks.
Most large online media companies don’t allow data scraping. However, enforcement of such policies is often lax.
In early November of this year, LinkedIn secured a verdict against a data-scraping company. It was able to prevent the company from using any information scraped from its platform.
|“The Court’s ruling helps us better protect everyone in our professional community from unauthorized use of profile data, and it establishes important precedent to stop this kind of abuse in the future. We will continue to fight on behalf of our members to stop illegal scraping. From taking legal action against unauthorized scraping to making significant investments in technical defenses, we are committed to keeping the control of data where it belongs — with our members.”|
DPC’s ruling against Meta has important implications for tech companies everywhere, as well as entities that specialize in data gathering. Web crawling and data extraction companies will need to tread carefully in areas that follow GDPR, like the EU. Or else, they’d find little sympathy in European courts.
In addition, the verdict against Meta should stand as a warning to social media platforms. They must implement stringent anti-scraping mechanisms into their code base or risk paying hefty fines.
Protecting Your Online Information
Data scraping has long been a controversial topic in the discussion on data privacy, as it allows cybercriminals to obtain sensitive user information.
However, it can have legitimate purposes too. For example, it’s used in the aggregation of news sources, feeding stock information into APIs and trading applications, and monitoring resellers on pricing agreements.
Protecting your information against web scrapers is quite simple. First, consider limiting your number of accounts on different social platforms. The more social media accounts you have, the greater the number of attack vectors.
Additionally, don’t rely on online media platforms and Big Tech’s discretion, as they have precedents with intentionally providing user information to third parties.
For businesses, it’s important to use up-to-date protocols, in-house professionals, and certified third-party providers to boost network security.
Network security includes patch management, vulnerability scanning, network auditing, email spam filtering, data storage, and many other criteria that can safeguard sensitive information from scraping.
With a large number of privacy scandals and court cases, both individuals and businesses have to keep a watchful eye on their security, as much as possible.