In a startling conclusion to a 2019 incident, Meta has been slapped with a €91 million ($101.56 million) penalty by the Irish Data Protection Commission (DPC). This fine is tied to a serious security misstep revealed in March of that year, where the tech conglomerate disclosed it had inadvertently saved user passwords in an unencrypted, plaintext format within its systems.
The following month, the DPC launched a formal inquiry, which uncovered multiple breaches of the European Union’s General Data Protection Regulation (GDPR) by the social media titan. Specifically, Meta was found to have transgressed four distinct articles of the GDPR.
Central to the DPC’s findings was the company’s failure to swiftly inform the DPC of the data breach, to accurately document breaches related to the storage of plaintext user passwords, and to employ appropriate technical safeguards to ensure the confidentiality of users’ sensitive credentials.
Initially, Meta revealed that the breach had exposed plaintext passwords belonging to a portion of Facebook users. While the company maintained that there was no evidence of improper access or misuse of these passwords within its systems, the discovery nonetheless raised significant concerns.
According to a report by Krebs on Security, some of the affected passwords dated back as far as 2012. It was also revealed that approximately 2,000 engineers or developers within Meta’s infrastructure executed close to nine million internal queries that returned data containing plaintext user passwords.
The issue deepened when, just a month later, Meta acknowledged that millions of Instagram passwords had also been stored in a similarly insecure manner. The company began the process of notifying those impacted by the lapse.
“It is a widely accepted principle that user passwords should never be stored in plaintext, particularly due to the potential for misuse by those with access to such data,” commented Graham Doyle, the deputy commissioner at the DPC, in a press release.
He further underscored the gravity of the situation, emphasizing that the passwords at the center of this breach were highly sensitive, as they provided direct access to users’ personal social media accounts.
In a statement released to the Associated Press, Meta expressed its regret, stating that it had taken “immediate corrective action” to address the mistake and that it had “proactively alerted” the DPC regarding the issue.