I'm not sympathetic to Meta making security mistakes, more curious how the punishment was decided, in lieu of causing any problems.
I wonder if it was a poorly thought out request log line or what.
- Meta discovered the discovered internally.
- Meta fixed the issue without delay.
- Meta took steps to show "absence of evidence" of abuse. (Does not mean "evidence of absence" though.)
- The reuters article says "Issue was disclosed voluntarily to the regulator." but the actual source [1] announces a breach of GDPR Article 33(1), for failing to notify.
- Meta was still fined 91 M€ for failing to build "data protection by design and by default" (my understanding of the fine, Articles 5 and 32 of the GDPR).
This is a positive step for security: companies being fined for being sloppy about security, even if they dutifully clean up after they mess up.
[1] https://www.dataprotection.ie/en/news-media/press-releases/D...