Ireland’s Data Protection Commission (DPC) has levied a hefty fine of $101.5 million (€91 million) against Meta, following an exhaustive investigation into a 2019 security breach. The probe revealed that the company had inadvertently stored users’ passwords in plain text, a glaring lapse in security protocol.
Initially, Meta had announced the discovery of some user passwords stored in plain text on its servers in January 2019. However, a subsequent update revealed that millions of Instagram passwords were also stored in an easily readable format. While Meta remained tight-lipped about the exact number of affected accounts, a senior employee revealed to Krebs on Security that up to 600 million passwords were compromised. Some of these passwords had been stored in plain text since 2012, and were searchable by over 20,000 Facebook employees. The DPC has confirmed that the passwords were not accessible to external parties.
The DPC’s investigation found Meta in breach of several GDPR regulations. The company failed to notify the DPC of the personal data breach in a timely manner and did not document the breach adequately. Furthermore, Meta did not employ sufficient technical measures to safeguard user passwords against unauthorized access.
Deputy Commissioner Graham Doyle emphasized the gravity of the situation, stating, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from unauthorized access. The passwords in question are particularly sensitive, as they grant access to users’ social media accounts.”
In addition to the fine, the DPC has issued a reprimand to Meta. The full implications of this decision will become clearer when the commission publishes its final verdict and supporting documentation in the future.
