- A 2019 breach left the passwords of hundreds of millions of Meta users exposed as they were stored in simple plain text with no encryption.
- Hence, Ireland’s Data Protection Commission (DPC) imposed a €91 million ($101.5 million) fine on Meta.
- The company addressed the issue and said it had taken immediate action to fix its mistake.
On Friday, Ireland’s Data Protection Commission (DPC) slapped Meta with a €91 million ($101.5 million) fine for the 2019 breach that left the passwords of hundreds of millions of users exposed.
The investigation started in April 2019 and Meta (then known as Facebook) was accused of violating the bloc’s General Data Protection Regulation (GDPR). This law requires companies to properly encrypt and secure the personal data of their users.
However, after the breach it was found that Meta had stored all those leaked passwords in simple plaintext on its server – no encryption in place. This made it easier for any third party to access the data.
The second accusation against the company is that it failed to notify about the breach in the legally required timeframe which is 72 hours. In addition, it also failed to properly document the breach.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data” – Deputy Commissioner, Graham Doyle
Meta spokesperson Matthew Pollard addressed the decision and said that they have been notified about the issue and have taken immediate action on this “error” in password management.
The company further said that these passwords were only temporarily stored in plaintext on the servers. Nevertheless, action has been taken and thankfully there is no evidence that these passwords were misused.
“We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” – Meta
This isn’t the first time that the company has been accused of violating the GDPR and fined. Most of the largest fines that have been handed out in the EU to tech companies were imposed on Meta.
But none of its previous breaches were as impactful as this one.
In all its previous security incidents, at most 30 million users have been affected in any single breach. But this time, hundreds of millions have been exposed. And since the GDPR fine is calculated on factors such as nature, impact, duration, and seriousness of the issue, this time around the company was hit by such a massive fine.
But it’s still nowhere near the highest fine that can be imposed on it, which is 4% of its annual global revenue. Its annual revenue for 2023 was $134.90 billion.
Our Editorial Process
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
