Meta has been hit with a hefty fine of $101 million by the Irish Data Protection Commission (DPC) for a significant security lapse involving the improper storage of millions of passwords for its Facebook and Instagram platforms. The DPC’s investigation began in April 2019 after Meta disclosed that it had inadvertently stored user passwords in plaintext, violating several articles of the European Union’s General Data Protection Regulation (GDPR). The findings underscore the importance of adhering to stringent data protection measures, especially for a company of Meta’s size.
The DPC found that Meta failed to notify the commission promptly about the data breach and did not document the personal data breaches concerning the plaintext storage of user passwords. Moreover, the commission noted that Meta lacked adequate technical measures to ensure the confidentiality of its users’ sensitive information. Such negligence is alarming, given that user passwords are critical to account security and should never be stored in an easily accessible format.
According to reports, some of the exposed passwords dated back to 2012, with Meta acknowledging that approximately 2,000 engineers and developers had made around nine million internal queries for data elements containing plaintext user passwords. In addition, Meta later revealed that millions of Instagram passwords were stored in a similar manner, prompting further notifications to affected users. The DPC emphasized the severity of the breach, noting that it put users’ social media accounts at risk of unauthorized access.
In light of the fine, Meta stated that it took “immediate action” to rectify the error and proactively informed the DPC about the issue. The company’s commitment to improving data protection practices will be closely scrutinized as the DPC and other regulatory bodies continue to enforce compliance with data privacy regulations. This incident serves as a critical reminder for tech companies to prioritize user data security to maintain trust and comply with evolving legal standards.
