Key Points
- The Irish DPC fined Meta $101.5 million (€91 million) for storing user passwords in plain text.
- The breach affected up to 600 million passwords, accessible internally by 20,000 employees but not external parties.
- The DPC ruled Meta violated several GDPR, including delayed breach notification and inadequate security measures.
- The company received a formal reprimand, with further details to be disclosed in the DPC’s final decision.
The Irish Data Protection Commission (DPC) has fined Meta $101.5 million (€91 million) following the conclusion of its investigation into a 2019 security breach in which millions of user passwords were stored in plain text. Meta first disclosed the breach in January 2019, but the company later updated its announcement to reveal that Instagram user passwords were also affected.
The breach reportedly involved as many as 600 million plain-text passwords stored on Meta’s servers. The issue had gone unnoticed since 2012, and these passwords were accessible by over 20,000 Meta employees, though the DPC clarified that external parties did not have access to the compromised data.
According to the DPC’s investigation, Meta violated several General Data Protection Regulation (GDPR) rules. Specifically, the company failed to promptly notify the regulator of the breach and did not properly document the incident. Additionally, Meta failed to implement appropriate technical measures to ensure the security of users’ passwords, which would have protected them against unauthorized access.
The DPC highlighted the gravity of storing passwords in plain text, especially considering the risks involved in compromising social media accounts. Graham Doyle, the DPC’s Deputy Commissioner, emphasized that this lapse in security practices was particularly serious because the passwords at risk could have allowed unauthorized access to users’ social media accounts.
In addition to the hefty fine, the DPC also issued Meta a formal reprimand. The full details of this reprimand will become clearer once the DPC publishes its final decision and related documents in the coming days.
While Meta has acknowledged the breach and taken steps to address the issue, the DPC’s ruling underscores the importance of safeguarding personal data in compliance with GDPR standards.