The Irish Data Protection Commission (DPC) has fined Meta €91m ($101.56m) after an investigation into an external security breach that began in March 2019. This problem arose when Meta reported that it had been recording people’s passwords in plaintext in its databases, which is contrary to agreed security measures.
The DPC initiated its probe on Meta the following month, but found that the company broke several provisions of the European Union’s General Data Protection Regulation (GDPR). Namely, Meta was violating four distinct GDPR articles. The DPC criticized Meta for failing to:
- Inform the regulatory authority of the loss of security as soon as possible.
- Ensure that the processing of the personal data breaches involves the storage of the plaintext password.
- Include sufficient technical procedures to protect users’ passwords and that they should remain secure.
The problem investigated revealed that the storage of passwords in plaintext is very insecure as anyone with access to them could exploit the users’ data.
Meta had at first disclosed it had a subset of Facebook users’ passwords in plaintext. While the company insisted that there are no records to show that the passwords were used or accessed in the wrong way, security analysts sounded alarm. Data leaked included passwords created up to 2012,.In one internal case, business insiders identified that 2,000 engineers/developers at Meta carried out some nine million internal searches, which comprised plaintext passwords.
Also Read: Google Cracking Whip Against Fake reviews on Maps Impact Indian Businesses
This was after Meta in April 2019 admitted that millions of Instagram users’ passwords had been also held in a similar unsecured way. The company added that it informed all users who could be affected by the problems.
The deputy commissioner in charge of the Irish DPC, Graham Doyle, stressed severity of the situation pointing to the specificity of the stolen passwords. ‘It goes without saying that user passwords should not be stored as plaintext because persons accessing such data are likely to abuse it,’ said Doyle in a press statement. He also underlined potential threats associated with these revealed passwords as, with their help, intruders will be able to enter users’ social media profiles.
Meta stated that when the DPC made the findings, Meta said it acted to address the situation quickly; furthermore, it claimed to have “proactively informed” the DPC about the matter. The company replied that it wants to assure the public that it has not found any sign of misuse and/or illicit use of the out in the plaintext form passwords.
Still, while Meta was quick to address the problem, the DPC pointed out that the issue highlighted major failures in the company’s personalized user data management, for which it was fined €91 million.