Ireland’s Data Protection Commission (DPC) on Monday imposed a €265 million ($277 million) fine on Facebook parent Meta for failing to prevent hackers from stealing the personal information of around 533 million Facebook users in a data breach that occurred in 2019.

The DPC is Meta’s lead privacy regulator within the European Union (EU), and has been conducting 13 more enquiries into the social media giant business practices.

In April 2021, Irish regulator launched an enquiry into the Facebook data leak, which exposed the personal details of about 533 million users from more than 100 countries.

The countries worst hit by the leak included Egypt (44 million records), Tunisia (39 million), the USA (32 million) and the UK (11 million). User data that was exposed included full names, phone numbers, gender, date of birth, location, relationship status and email address.

The DPC said it believed the leak might have violated one or more provisions of the EU’s General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018.

Facebook said that the leak was related to an ‘old’ bug that was fixed by 2019 and that malicious actors had scraped the data using Facebook’s contact importer tool before September 2019. Scraping is the practice of using automated software to extract public information from the internet, which is subsequently distributed in online forums.

As part of its enquiry, the DPC evaluated the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in regard to processing carried out by Meta between May 25, 2018 and September 2019.

The DPC has now concluded that Meta violated both Article 25(1) and Article 25(2) of the GDPR rules.

In addition to the financial penalty, Meta has also received a reprimand and an order directing it to bring its processes into conformity by completing a number of certain corrective measures within a particular timeframe.

“Because this data set was so large, because there had been previous instances of scraping on the platform, where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction,” Data Protection Commissioner Helen Dixon said.

“The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265 million in total.”

The Irish regulator said that other relevant EU authorities concurred with the conclusion made on Monday, following its sharing of a draft judgement with them last month.

A Meta spokesperson said that the company was carefully reviewing the Irish regulator’s decision.

“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the spokesperson said.

“Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge.”

This is the fourth financial penalty issued against one of Meta’s firms by Ireland’s DPC.

In September, the watchdog fined Meta’s Instagram subsidiary a record-breaking €405 million.

Because Apple, Google, and other tech giants have chosen to locate their EU headquarters in Ireland, the DPC is the regulatory body that oversees them. The regulator currently has 40 investigations open into such companies.