The Irish Data Protection Commission (DPC) has fined Meta €91 million (around $101.5 million) for failing to protect user passwords. This fine is in response to an incident that happened back in 2019, where millions of Facebook and Instagram passwords were stored in plain text, which made them easily accessible without encryption.
The DPC says that this incident violated several provisions of the GDPR. What"s worse, Facebook didn"t even notify its users about this breach and didn"t implement security until and after the breach was discovered.
Meta"s fine includes violation of the following articles under the GDPR:
- Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext;
- Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
- Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
- Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
The incident occurred when the passwords ended up in parts of Meta"s systems that were not really designed for password management, possibly as a result of error logs or crashes. This meant that those passwords were accessible to over 20,000 employees at Meta. The passwords were stored in plain text from 2012 until 2019 when a routine security review found that they were being stored in a readable format.
Deputy Commissioner at the DPC, Graham Doyle, said in a press release:
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts."
Meta"s standard procedure of storing passwords includes a hashing technique called "script," which involves converting the actual password into a random string of characters that cannot be easily reversed. This method protects user accounts by ensuring that even if the data is accessed, the original passwords remain secure. However, the passwords still ended up in Meta"s other systems.
Meta acknowledged the incident back in 2019 and said that there was no evidence of any external access or abuse of this data.
via Reuters