World Tech

Meta Fined €91M ($147 Million) For Storing Users Passwords In Plain Text

Ireland's Data Protection Commission (DPC) has fined Meta €91 million ($147 million) following the revelation in 2019 that the company had stored 600 million Facebook and Instagram passwords in plaintext. The DPC determined that Meta violated GDPR multiple times in connection with this breach.

Matthew Giannelis
Matthew Giannelis

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($147 million) following a security lapse in when the company admitted to mistakenly storing users’ passwords in plaintext.

Launched by the DPC the investigation uncovered that Meta violated four articles of the EU’s General Data Protection Regulation (GDPR). The inquiry was first opened five years ago after Meta notified the DPC that it had stored some passwords in plaintext.

The DPC criticised Meta for failing to promptly notify them of the breach, document incidents related to the plaintext storage of passwords, and implement adequate technical measures to protect user confidentiality.

While Meta disclosed that this privacy issue affected a subset of Facebook users’ passwords, it stated there was no evidence that the exposed data was accessed or misused internally.

Some of the exposed passwords date back to 2012, with a senior employee revealing that around 2,000 engineers or developers conducted approximately nine million internal queries for data containing plaintext user passwords.

A month later, Meta acknowledged that millions of Instagram passwords were also stored in a similar manner and announced plans to notify affected users.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at the DPC, said in a press statement.

“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.” said Doyle

Last year Facebook owner Meta was hit with a record €1.2bn fine by the Irish data watchdog and was instructed to stop transferring EU users’ data to US

In a response to the fine, Meta’s global affairs president Nick Clegg said that the company is “disappointed to have been singled out” for using the same legal mechanisms as other companies in Europe.

The DPC is the lead EU regulator for most of the top U.S. internet firms due to the location of their EU operations in the country.

To date, it has imposed fines totaling €2.5 billion on Meta for violations of the EU’s General Data Protection Regulation (GDPR), which was introduced in 2018. This includes a record €1.2 billion fine in 2023, which Meta is currently appealing.

ByMatthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article NSW Police Officers Banned From Using Social Media apps NSW Police Officers Banned From Using Social Media And Encrypted Messaging Apps
Next Article The Top 10 Cybersecurity Trends for 2024 Top 10 Cyber Security Trends In 2024
Leave a Comment

Leave a Reply

Tech Articles

How the World’s Data Centres Are Quietly Burning the Planet

Data centres are burning the planet, with a growing environmental…

Chatbots Condemning Children To Antisocial Behaviour?

Are Chatbots Condemning Children To Antisocial Behaviour?

Are Chatbots Condemning Children To Antisocial Behaviour? Not by default…

Why is APAC losing the war on digital fraud

Why APAC is Losing Ground In The Fight Against Digital Fraud

Why APAC is losing the war on digital fraud is…

Recent News