The Irish Data Protection Commission (DPC) has fined Meta $101.5 million (€91 million) after concluding an investigation into a 2019 security breach in which the company accidentally stored users’ passwords in clear text. was punished. Meta’s initial announcement only mentioned how it had discovered some user passwords stored in clear text on its servers in January of the same year. But a month later, the company updated its announcement to reveal that millions of Instagram passwords were also stored in an easily readable format.
Meta did not say how many accounts were affected, but executives told Krebs on Security at the time that the incident involved up to 600 million passwords. Some of the passwords had been stored on the company’s servers in easily readable format since 2012. They were also reportedly searchable by more than 20,000 Facebook employees, but the DPC clarified in the decision that they were not made public, at least not to outside parties.
The DPC found that Meta breached several GDPR regulations related to this breach. It determined that the company failed to “notify the DPC without undue delay of a personal data breach relating to the storage of user passwords in plain text” and failed to “document the personal data breach relating to the storage of user passwords in plain text”. It also said that Meta violated the GDPR by not taking appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
“It is widely accepted that user passwords should not be stored in clear text, given the risk of misuse posed by those accessing such data. The passwords considered in this case are particularly sensitive. “We must keep in mind that this is expensive, as it allows access to users’ social media accounts,” DPC Deputy Commissioner Graham Doyle said in a statement.
In addition to the fine, the DPC also imposed disciplinary action on the company. We may learn more about what that means for Meta in the future, when the committee releases its full final decision and other relevant information.
