The Irish Data Protection Commission (DPC) imposed a fine of $101.5 million on Meta. The reason was a violation of the rules for storing user passwords.
The problem was discovered in January 2019 when it turned out that some user passwords were stored on the company’s servers in plain text. Later, Meta reported that the problem also affected millions of Instagram user passwords.
According to the data provided a senior employee of the company, told Krebs on Security that the incident could have affected up to 600 million passwords. Some of them had been stored in an unencrypted format since 2012. More than 20,000 Facebook employees had access to this data, although the DPC confirmed that external parties did not have access to the passwords.
The Commission found that Meta violated several rules of the General Data Protection Regulation (GDPR). The company failed to notify the DPC of the personal data leak in time, failed to properly document the incident, and failed to take appropriate technical measures to protect users’ passwords from unauthorized access.
Graham Doyle, Deputy Commissioner of the DPC, emphasized the importance of proper password storage:
«It is generally recognized that user passwords should not be stored in plain text because of the risk of misuse. It should be borne in mind that the passwords at issue in this case are particularly sensitive, as they provide access to users’ social media accounts».
In addition to the fine, the DPC also reprimanded the company. The commission plans to publish full information about the decision and related details later.
Source: Engadget
Spelling error report
The following text will be sent to our editors: