The Data Protection Commission (DPC) Ireland slaps Meta Platforms with a $100 million fine on Friday for exposing the plaintext passwords of a reported 600 million Facebook users to internal employees.
The DPC’s decision closes an inquiry brought against Meta Platforms Ireland back in 2019, after American security researcher Brian Krebbs broke the story in March of that year.
Meta was the first to alert the regulatory body that it had inadvertently stored the user passwords without using cryptographic protection or encryption – in violation of security requirements as laid out in the General Data Protection Regulation (GDPR).
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Irish DPC Deputy Commissioner Graham Doyle said in a statement on the reprimand.
“This Decision of the DPC concerns the GDPR principles of integrity and confidentiality,” the Commission noted in its news release.
undefined Data Protection Commission Ireland (@DPCIreland) September 27, 2024
According to GDPR requirements, Meta not only failed to implement the appropriate technical and organizational security measures to protect users’ data from unauthorized access, but also failed to manage security risks based on the type of data processed, including how that data was being stored in Meta’s database severs, DPC Ireland said.
The regulators also noted in its decision that Meta failed to document and notify proper authorities “in a timely manner” that its users’ plaintext passwords had been exposed as part of a personal data beach.
Krebs, who commented on the 91 million euro fine Friday on LinkedIn, pointed out that although he had found no evidence of Facebook employees accessing the exposed data at the time, the “security/privacy failure could have allowed any one of Facebook’s 200,000 employees to see the plaintext passwords for up to 600M accounts.”
Krebs, who commented on the 91 euro fine Friday on LinkedIn, pointed out that although he had found no evidence of Facebook employees accessing the exposed data at the time, the “security/privacy failure could have allowed any one of Facebook’s 200,000 employees to see the plaintext passwords for up to 600M accounts.”
The Krebs research also found that the passwords were “searchable by thousands of Facebook employees” and in some cases, dated back to 2012.
Meta publicly acknowledged the incident at the time and a DPC investigation into the matter confirmed the passwords were not made available to external parties.
In a statement released Friday, a Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019.
The statement went on to say Meta had ‘constructively engaged’ with the DPC throughout the inquiry, and reiterated there was no evidence the passwords were abused or accessed improperly.
The DCP Ireland is considered the main authority regulator for most US-based social media and online firms operating in the European Union.
It's also not the first monetary penalty the DPC has handed down to Meta for non-compliance with the EU’s GDPR. In fact, Meta is considered one of the EU's top GDPR offenders having already received a total of over €2.5 billion in fines since the GDPR was implemented in 2018.
Last May, Meta was issued a €1.2 billion fine, the largest GDPR fine ever, for how it carried out transfers of personal data to the US. Meta is appealing the DCP decision.
In January 2023, the DCP announced fines against Meta’s Facebook for €210 million, and another €180 million for Instagram, both for GDPR violations related to user consent and data processing. Meta also had to pay €5.5 million in fines over WhatsApp GDPR infractions the same month.
Meta’s Facebook was fined €265 million in November 2022 for a data scraping leak from three years earlier that exposed hundreds of millions of user records.
And this past July, a concluded DCP probe into Meta's "pay or consent" model is expected to lead to another hefty sum for the Zuckerberg-owned tech firm.
Your email address will not be published. Required fields are markedmarked