The Republic of Ireland’s Data Protection Commission (DPC) fined Meta Platform Ireland (MPIL) €251 million following two inquiries into a data breach that impacted approximately 29 million global Facebook accounts.

Meta Platforms self-reported the data breach that took place in September 2018.

The DPC stated the breach included personal data such as full names, mail addresses; phone numbers; places of work; birth dates; religion and gender, as well as posts on timelines and groups where users were members.

The watchdog noted three million of the users impacted were based in the European Union and European Economic Area.

The breach occurred due to the exploitation by unauthorised third parties of user tokens on the Facebook platform.  It was remedied by MPIL and its US parent company shortly after discovery.

The scope of the IDC’s inquiries falls under the European Union’s General Data Protection Regulation (GDPR).

The DPC found the social media giant infringed on GDPR rules “by failing to document the facts relating to each breach, the steps taken to remedy them”.

It also noted MPIL failed in its obligations “to ensure that, by default, only personal data that are necessary for specific purposes are processed”.

Meta Platforms told Bloomberg the company took immediate action to fix the problem as soon as it was identified, and that it proactively informed the users that were impacted as well as the DPC.

The DPC stated it will publish the full decision and further related information in due course. Meta Platforms said it will appeal the decisions, according to the news agency.

In September, DPC hit Meta Platforms with fines totalling €91 million for inadvertently storing hundreds of millions of user passwords incorrectly.

It also fined Meta Platforms €1.2 billion in May 2023 for breaches of European Union laws covering data protection.

The most recent fine also adds to a €390 million penalty the DPC imposed on Meta Platforms in January 2023 and a €405 million charge in 2022, which are also related to breaches of data processing rules.