The Facebook security flaw that exposed personal information to an unknown attacker affected 3 million people in Europe, where companies face potentially steep fines for privacy violations, an Irish official said on Tuesday.

Some 30 million people worldwide had their Facebook data exposed by the flaw, which allowed attackers to steal Facebook “access tokens,” the digital equivalent of keys. Facebook announced last week that an unnamed party then used the tokens to see personal information about users.

For 14 million of the worldwide users, the attackers accessed data such as gender, birth date, work, location check-ins, pages they follow and their 15 most recent searches, Facebook said.

Graham Doyle, head of communications for the Ireland Data Protection Commission, said that 3 million Europeans were among those affected. CNBC first reported the figure.

Facebook's European headquarters is in Ireland, so data protection authorities there have jurisdiction over all of Facebook’s activities in Europe. The Irish commission is responsible for monitoring the application of data laws to a wide array of industries, including the tech sector

Doyle said the commission did not know yet what data of the 3 million Europeans had been exposed, but that the commission was investigating.

The number is the first indication of who the victims of the breach were. Facebook on Friday declined to provide a geographic breakdown of who was affected.

Facebook did not immediately respond to a request for comment on Tuesday.

In April, a new data privacy law took effect in Europe that enables the region’s data protection authorities to fine companies up to 4 percent of their global revenue if they fail to protect user information. Facebook’s revenue last year was $40.7 billion, so its maximum fine under the law would be $1.6 billion.

The law, known as the General Data Protection Regulation, or GDPR, says that the amount of a fine will depend in part on the “nature, gravity and duration of the infringement” and the “number of data subjects affected.”

The law requires tech companies, healthcare firms and others that handle people’s data to meet requirements such as obtaining consent in “clear and plain language” before collecting information and giving people the option to withdraw consent later on. Companies must also implement appropriate measures to ensure security.