The Irish Data Protection Commission (DPC) fined Meta $101.5 million (€91 million) in 2019 after concluding an investigation into a security breach the company allegedly botched. stores users’ passwords in plain text. Meta’s original announcement only mentioned how it found some user passwords stored in plain text on its servers in January of that year. But a month later, he updated his ad to reveal this millions of Instagram passwords it was also stored in an easily readable format.
Meta did not say how many accounts were affected, a senior employee said Krebs on security at that time, the incident involved 600 million passwords. Some of the passwords have been stored in an easily readable format on the company’s servers since 2012. They were also reportedly searchable by more than 20,000 Facebook employees, although the DPC said in its ruling that they were at least not made available to external parties.
The DPC found that Meta breached several GDPR regulations in relation to the breach. It found that the company “failed to notify the DPC of personal data breaches related to the storage of user passwords in clear text” and “failed to document personal data breaches related to the storage of user passwords in clear text.” It also said that Meta breached the GDPR by failing to take appropriate technical measures to secure users’ passwords from unauthorized processing.
“It is widely accepted that user passwords are not stored in clear text given the risks of misuse by those with access to such information. It should be noted that the passwords considered in this case are particularly sensitive as they will allow access to users’ social media accounts,” DPC Deputy Commissioner Graham Doyle said in a statement.
In addition to the penalty, the DPC reprimanded the company. We may know more about what this means for Meta when the Commission publishes its full final decision and other related information in the future.