Meta, the parent company of Facebook, has been fined €91 million by Ireland’s Data Protection Commission (DPC) over a serious password-security breach that affected 36 million Facebook and Instagram users in the European Economic Area (EEA).
The breach, discovered in early 2019, involved Meta inadvertently storing users’ passwords in plain text, exposing them to significant security risks.
The fine highlights Meta’s failure to implement adequate security measures and its delay in reporting the breach to regulators.
Meta hit with hefty fine over major security lapses
In April 2019, Meta notified the Irish DPC that it had “inadvertently stored certain passwords of social media users” in an unprotected, readable format on its internal systems.
This discovery prompted an inquiry by the DPC, which found that Meta’s storage practices posed a significant security risk to users.
The passwords, stored in plain text, left millions of accounts vulnerable to potential misuse by unauthorised parties who could access the sensitive information.
The DPC’s investigation revealed that 36 million users across the EEA, which includes the EU, Iceland, Liechtenstein, and Norway, were impacted by the breach.
Although Meta stated that there was no evidence the passwords had been accessed or misused, the regulator deemed the company’s actions insufficient in protecting users’ data and issued a hefty fine in response to the violation.
Meta’s delay escalates the fine
Another critical factor in the DPC’s decision was the delayed reporting of the breach by Meta.
Although the company discovered the issue in January 2019, it failed to alert the regulator until March of that year, leaving millions of users’ personal information exposed for months without action.
The DPC was quick to point out that the delay in reporting was a breach of GDPR regulations, which require companies to notify authorities within 72 hours of identifying such incidents.
This delay only compounded the seriousness of the breach, as it gave malicious actors more time to potentially exploit the vulnerability.
The DPC cited Meta’s handling of the situation as inadequate, noting that the social media giant’s lack of appropriate security measures directly contributed to the data exposure.
Meta’s reaction and next steps
In its defence, Meta explained that the password issue occurred due to an internal error and that the problem was resolved promptly after its discovery.
The company claims that the error affected only a limited number of users, and it proactively notified the DPC once the issue was identified.
Meta further stated that there was no evidence to suggest the passwords were ever accessed or used for malicious purposes.
Despite these assurances, the DPC emphasised that storing passwords in plaintext is a serious violation of basic cybersecurity principles.
The commission highlighted that best practices dictate that sensitive data, including passwords, should always be stored in an encrypted format to prevent misuse in the event of unauthorised access.
Financial and reputational implications for Meta
The €91 million fine represents a significant financial penalty for Meta, but the reputational damage may be even more costly.
With increasing scrutiny on how tech giants handle personal data, particularly in light of GDPR regulations, the incident adds to the growing list of challenges Meta faces in the EU.
The breach serves as a stark reminder of the importance of robust cybersecurity measures, especially when it comes to handling sensitive user information.
This latest fine adds to a series of regulatory actions taken against Meta by European authorities.
With the company’s vast user base and substantial influence, incidents like these further fuel concerns over how it handles the personal data entrusted to it by millions of people worldwide.
Strengthened regulatory oversight
The DPC’s decision to impose a significant fine on Meta sends a clear message to other companies operating in the EU: failure to adhere to GDPR standards will result in serious consequences.
In addition to the financial penalty, Meta’s handling of the breach underscores the need for enhanced regulatory oversight in the tech industry.
As cyberattacks and data breaches become increasingly common, regulators around the world are stepping up efforts to hold companies accountable for lapses in security and transparency.
For Meta, the €91 million fine could be just the beginning, as the company continues to face scrutiny over its data privacy practices across multiple jurisdictions.
The post Meta slapped with €91 million fine by Ireland over massive password breach appeared first on Invezz
