Meta Fined €251 Million Following Data Breach Affecting Millions - 1

Image by Nokia621, from Wikimedia Commons

Meta Fined €251 Million Following Data Breach Affecting Millions

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The Irish Data Protection Commission (DPC) has imposed a €251 million fine on Meta Platforms Ireland Limited (MPIL) following two inquiries into a major data breach that occurred in 2018, as reported on a DPC press release .

In a Rush? Here are the Quick Facts!

  • 29 million Facebook accounts globally were affected, including 3 million in the EU.
  • Fines include €8 million for failure to notify breach details, €3 million for documentation.
  • DPC warns about risks of unauthorized exposure of sensitive personal data on Facebook.

The breach, which affected around 29 million Facebook accounts globally, exposed sensitive personal data, including names, email addresses, phone numbers, and more. Of those impacted, approximately 3 million accounts were based in the European Union and European Economic Area (EU/EEA), said the DPC.

The breach occurred when unauthorized third parties exploited user tokens on the Facebook platform, gaining access to user data. MPIL reported the incident in September 2018, and the breach was remedied promptly by MPIL and its US parent company.

The Record notes that a Meta spokesperson issued a statement highlighting that the fine stems from an incident that occurred six years ago.

“We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” the statement said, as reported by The Record. “We have a wide range of industry-leading measures in place to protect people across our platforms.”

The first decision focused on Meta’s failure to include all required information in its breach notification. Specifically, the company did not provide sufficient details about the breach. Additionally, Meta was reprimanded for failing to document the facts of the breach. As a result, the DPC levied fines of €8 million and €3 million, respectively.

The second decision concerned Meta’s failure to uphold data protection principles in its system design, since it was found to have inadequately integrated data protection safeguards into its processing systems.

Furthermore, Meta was penalized for not ensuring that only necessary personal data was processed. The fines for these violations totaled €130 million and €110 million, said the DPC.

Graham Doyle, Deputy Commissioner of the DPC, emphasized the seriousness of the breach, highlighting how inadequate data protection measures can expose individuals to significant risks.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.” Doyle said in the press release.

“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data,” Doyle added.

This enforcement action serves as a stark reminder of the importance of robust data protection measures for companies operating within the EU.

The fine announced on Tuesday marks the latest financial penalty Meta has faced for breaching European data protection laws. In September, the DPC imposed a $101.5 million fine on Meta for failing to properly protect users’ password data .

Hackers Leverage Microsoft Teams To Deploy Malware - 2

Image by fptsmartcloud, from Pxhere

Hackers Leverage Microsoft Teams To Deploy Malware

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A recent cybersecurity breach revealed how a social engineering attack, leveraging voice phishing (vishing) through Microsoft Teams, enabled a malicious actor to deploy DarkGate malware on a victim’s system.

In a Rush? Here are the Quick Facts!

  • Voice phishing through Microsoft Teams led to DarkGate malware deployment.
  • Victim convinced to download AnyDesk after failed Microsoft Remote Support installation.
  • Attacker gained system access by convincing victim to enter credentials.

The attack, analyzed by Trend Micro’s Managed Detection and Response (MDR) team, highlights the evolving nature of cyber threats and the critical need for robust defense strategies. The attack began when the victim received several thousand emails before an attacker posing as a client representative called via Microsoft Teams.

The impersonator instructed the victim to download the Microsoft Remote Support application, but after this installation attempt failed, the attacker successfully convinced the victim to download AnyDesk, a legitimate remote desktop tool.

The attacker then guided the victim to enter their credentials, granting unauthorized access to the system.

Once inside the system, the attacker dropped multiple suspicious files, one of which was identified as Trojan.AutoIt.DARKGATE.D, initiating a series of commands. This led to the connection with a potential command-and-control (C&C) server, enabling the attacker to execute further malicious actions.

Although the attack was halted before any data exfiltration occurred, it underscored several vulnerabilities in remote access management and social engineering tactics.

The attacker used AutoIt scripts to gain remote control of the victim’s machine, executing commands to gather system information and establish a more persistent foothold.

Notably, the AutoIt3.exe process executed a series of commands that downloaded additional malware, including scripts that attempted to connect to external IPs. The malware was designed to avoid detection by searching for antivirus products and creating multiple random files to obscure its presence.

The ultimate goal of the attack appeared to be the installation of a final DarkGate payload. This payload would have further enabled the attacker to control the victim’s system and potentially exfiltrate sensitive data. However, the attack was detected in time, preventing the attacker from achieving their objective.

To defend against such attacks, experts recommend organizations vet third-party technical support providers thoroughly. Remote access tools, like AnyDesk, should be whitelisted and monitored, with multi-factor authentication (MFA) enabled to prevent unauthorized access.

Additionally, employees should receive regular training to recognize social engineering tactics and phishing attempts, which remain a key vector for cyberattacks.