Meta is no stranger to be hit by financial penalties for user data exposures, and now, the social media company has — once again — found itself in hot waters in Europe. This time, it has attracted the ire of the Irish Data Protection Commission (DPC), which has slammed Meta with a massive fine of $101.5 million (€91 million) fine and an official reprimand.
The penalty was imposed after the DPC wrapped up an investigation into a security breach (which had occurred in 2019) and resulted in Meta storing the passwords of some users in plaintext, marking a serious violation of data protection laws.
When the security issue was first identified – five years ago – Meta conducted an internal security review, discovering that when user passwords were stored, they were not encrypted or properly protected from potential access. As per reports at that time, as many as 600 million user accounts on Facebook (and millions on Instagram, which was later discovered) were affected by the development, and Meta employees had access to these passwords.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, Deputy Commissioner for the Irish DPC, commented on the matter.
Doyle’s stance on the matter is hardly surprising, given that the storing of passwords without protection or encryption leaves them particularly vulnerable. If passwords are exposed in an easily readable format, then anyone who can access the plaintext files can access the passwords and use them to access the associated accounts. What the consequences are is an easy guess – LinkedIn found that out the hard way when the passwords for nearly 6.5 million user accounts were stolen over a decade ago.
For users, their accounts often contain sensitive information like their personal details, conversations, financial information, and more, and malicious actors can easily leverage the data to impersonate the users and conduct activities like identity theft, online harassment, or scams.
Coming back to the development, the investigation by the DPC revealed that Meta’s Ireland unit was in multiple violations of GDPR. For one, the DPC was not immediately informed when Meta had discovered the plaintext storage of passwords (for reference, the social media company took several months to report the breach). Additionally, it was discovered that Meta had not adequately documented the breach, nor did it swiftly implement the necessary measures to ensure that user passwords were safe. Overall, Meta Platforms Ireland Limited (MPIL) violated Article 33(1), Article 33(5), Article 5(1)(f), and Article 32(1) of the GDPR.
To its credit, Meta did acknowledge the issue back in 2019, adding that it has implemented measures to address it and taken steps to avoid future occurrences of the same. Nonetheless, this did not save it from being imposed with a mighty financial penalty, which simply adds to the pile of Meta’s mounting legal challenges in Europe. The introduction of the GDPR in 2018 has ensured that Meta – and other tech firms – have been bleeding billions in fines for being in non-compliance of data protection laws. The penalties on Meta alone has amounted to over €2.5 billion.