Meta, the parent company of Facebook and Instagram, has been fined nearly €265 million by Ireland’s data privacy regulator for failing to prevent the massive 2021 Facebook data breach.

The Irish data protection commission (DPC) launched the investigation into whether Facebook complied with Europe’s General Data Protection Regulation (GDPR) laws in April 2021 after the phone numbers and personal data of 533 million Facebook users was leaked on a hacker forum for free. At the time, Meta said the cyber thieves obtained the information using a vulnerability that the company fixed in 2019, and that this was the same information involved in a prior leak reported in January 2021.

Since 2021, the DPC has slapped Meta and its other subsidiaries, Instagram and WhatsApp, with €912 million in fines for alleged violations of Europe’s General Data Protection Regulation (GDPR). In September 2022, Meta was fined €405 million over Instagram’s handling of children’s data, the second-largest GDPR fine in history.

A Meta spokesperson said it was reviewing the DPC’s decision “carefully” and that it had cooperated fully with the agency’s investigation.