Meta fined €91 million by the Irish Data Protection Commission

September 30, 2024
Posted by: Evans Asare

Meta fined €91 million by the Irish Data Protection Commission for storing millions of Facebook and Instagram passwords in plaintext. The Irish Data Protection Commission (DPC) has imposed a significant fine of €91 million ($101.56 million) on Meta. This penalty arises from an investigation into a serious security lapse that occurred in March 2019, when Meta inadvertently stored users’ passwords in plaintext.

Background of the Investigation

Following the discovery of this security issue, the DPC initiated an investigation in April 2019. The inquiry revealed that Meta had breached four articles of the European Union’s General Data Protection Regulation (GDPR). Consequently, this raised substantial concerns about the company’s data handling practices.

Key Findings of the DPC

The DPC identified several critical shortcomings on Meta’s part. Firstly, the company failed to promptly notify the DPC about the data breach. Additionally, it did not adequately document the personal data breaches related to the storage of user passwords in plaintext. Furthermore, Meta lacked the proper technical measures to safeguard the confidentiality of its users’ passwords.

Scope of the Data Breach

Initially, Meta disclosed that the privacy violation resulted in the exposure of a segment of users’ Facebook passwords in plaintext. However, the company emphasized that there was no evidence suggesting that these passwords were accessed or misused internally. Notably, some of these passwords dated back to 2012. According to Krebs on Security, a senior employee revealed that around 2,000 engineers or developers had made approximately nine million internal queries for data elements containing plaintext user passwords.

Additional Issues with Instagram Passwords

A month after the initial disclosure, Meta admitted that millions of Instagram passwords were also stored in a similar insecure manner. In response, the company began notifying the affected users about this issue.

Official Statements

Graham Doyle, deputy commissioner at the DPC, highlighted the gravity of the situation. He stated, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” He further noted the particular sensitivity of these passwords, as they provide access to users’ social media accounts.

Meta’s Response

In a statement to the Associated Press, Meta claimed it took “immediate action” to rectify the error. The company also asserted that it “proactively flagged this issue” to the DPC, demonstrating its intent to address the matter swiftly.