A German court ruled on Monday that thousands of local Facebook users affected by a massive data breach in 2021 are eligible for compensation.
According to a statement from the German Federal Court of Justice (BGH), users can claim around €100 ($105) for the breach even if the data obtained by the hackers wasn’t misused or caused any harm.
“Even a brief loss of control over personal data due to a violation of the GDPR can count as non-material damage,” BGH said.
In 2021, the personal data of approximately 533 million Facebook users from around the world was leaked online. The breach occurred after unknown hackers exploited a feature that allowed them to access Facebook user accounts using randomly generated phone numbers.
Facebook said at the time that the information was “scraped” by malicious actors through a vulnerability in its tools prior to September 2019. The breach exposed users’ personal data, including their user ID, full name, workplace and gender.
German users who filed a lawsuit against Facebook said the company failed to implement “adequate security measures,” leading to distress and loss of control over their personal information.
They first requested €1,000 ($1,056) each in damages, but the court ruled that €100 would be a fair amount, as there was no evidence of financial loss. Previously, German courts had rejected users’ claims for damages.
In a comment to German media on Monday, a company spokesperson said that during the mentioned incident, Facebook’s systems were not hacked, and there was no data breach.
According to Meta, similar claims have already been dismissed thousands of times by German courts, with a large number of judges ruling that no claims for liability or damages exist.
It is not yet clear how many German users will receive compensation for being affected by the breach. According to local media reports, the claims against Meta expire at the end of this year, so users would have to act quickly — by filing a lawsuit and proving they were victims of the incident — to receive compensation from the company.
In 2022 Meta was fined €265 million ($280 million) by Irish data protection authorities for the same incident.
In a statement to Recorded Future News at that time, a Meta spokesperson said the company “cooperated fully” with the Irish authorities on this issue.
“We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers,” the spokesperson said. “Unauthorized data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.