Meta has been sanctioned by the Irish Data Protection Commission (DPC) with a €91 million ($101.56 million) fine following an investigation into a security incident in March 2019, during which the company mistakenly held users’ passwords in cleartext within its systems.
The examination, which was initiated by the DPC in the subsequent month, uncovered that the social media titan breached four distinct articles within the European Union’s General Data Protection Regulation (GDPR).
As a result, Meta was censured by the DPC for not promptly informing the DPC about the data breach, recording personal data breaches related to storing user passwords in cleartext, and employing adequate technical safeguards to preserve the confidentiality of users’ passwords.
Initially, Meta disclosed that the breach resulted in the exposure of a subset of users’ Facebook passwords in cleartext, assuring that there was no indication of unauthorized access or misuse internally.
According to information from Krebs on Security, some of these passwords trace back to 2012, with a senior employee revealing that “approximately nine million internal queries for data elements containing cleartext user passwords” were conducted by around 2,000 engineers or developers.
Subsequently, Meta admitted a month later that millions of Instagram passwords were also stored in a analogous manner, and efforts are being made to inform affected users.
Graham Doyle, the deputy commissioner at the DPC, commented in a press release, “It is an established fact that storing user passwords in cleartext is not recommended, given the potential risks associated with unauthorized data access.”
“It’s important to bear in mind that the passwords implicated in this case are especially sensitive since they could allow access to users’ social media profiles.”
Meta, in a statement provided to Associated Press, mentioned that it took immediate corrective measures to address the issue and proactively flagged the matter to the DPC.
About Author
