Meta Fined €91 Million For Storing Facebook & Instagram Passwords In Plaintext

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for inadvertently storing hundreds of millions of user passwords internally in plaintext.

It has also issued the company a reprimand over the matter.

In March 2019, Meta notified the DPC that it had incorrectly stored certain Facebook user passwords in plaintext on its internal systems, i.e., without cryptographic protection or encryption. It also publicly acknowledged the incident at the time.

“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Meta disclosed in a news release in March 2019.

While the company did not reveal how many users were impacted by the issue, it estimated that it would notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users,” and “millions of Instagram users.”

Back then, Meta said they found no evidence that the passwords were made available to external parties and were not internally abused or improperly accessed.

Following Meta’s disclosure of the incident, the DPC investigated the company’s password storage practices in April 2019 to assess MPIL’s compliance with the European Union’s General Data Protection Regulation (GDPR).

In particular, the tech giant had infringed four different articles under the GDPR, which include failure to notify the DPC of the personal data breaches, documentation of personal data breaches with regards to the storage of user passwords in plaintext, failure to use appropriate technical or organisational measures to safeguard users’ password data against unauthorised processing and utilize appropriate technical and organisational measures to ensure the ongoing confidentiality of user passwords.

“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Graham Doyle, Deputy Commissioner at the DPC, said in a statement.

The DPC also said in a news release, “The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing. In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks.”

In response to the above GDPR violations, the DPC has imposed a €91 million ($100 million) fine on Meta and a reprimand pursuant to Article 58(2)(b) GDPR. The agency will publish the complete information and further information related to the incident in due course.

Reacting to the DPC fine, Meta said in a statement shared with the Associated Press, “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post