Ireland’s Data Protection Commission (DPC) fined Meta €91 million ($101.56 million) as part of an investigation into a security breach in March 2019, when the company revealed it had mistakenly stored user passwords in clear text on its systems.
investigation, DPC is started next month found that the social media giant violated four different articles of the European Union’s General Data Protection Regulation (GDPR).
To that end, the DPC accused Meta of failing to notify the DPC of the data breach in a timely manner, to document the breach of personal data relating to the public storage of user passwords, and to have failed to use adequate technical measures to ensure the confidentiality of user passwords.
The goal is initially revealed what breach of privacy led to the public exposure of a subset of Facebook users’ passwords, although it was noted that there was no evidence that it had been improperly accessed or misused domestically.
According to Krebs on securitysome of those passwords date back to 2012, and a senior employee said “about 2,000 engineers and developers made approximately nine million internal queries for data items that contained plain text user passwords.”
A month later, the company admitted that millions of Instagram passwords were also stored in a similar manner and that it is notifying affected users.
“It is widely accepted that user passwords should not be stored in clear text, given the risk of abuse arising from individuals accessing such data,” Graham Doyle, deputy commissioner of the DPC, said in a press statement.
“It should be kept in mind that the passwords at issue in this case are particularly sensitive as they allow access to user accounts on social networks.”
In a statement with the Associated Press, Meta said it had taken “immediate action” to correct the error and that it had “proactively flagged the issue” with the DPC.
