Ireland's Data Protection Commission (DPC) has levied a fine of $101.5 million (€91 million) against Meta following an investigation into a data breach that occurred in 2019.
What We Know
The investigation revealed that Meta had been storing user passwords in plain text format. Initially, the company reported discovering the passwords in plaintext on its servers in January 2019. However, a month later, it was updated to include information that millions of Instagram users' passwords were also stored in an easily readable format.
While Meta did not disclose the exact number of affected accounts, a senior employee informed Krebs on Security that up to 600 million passwords might have been compromised. Alarmingly, some passwords had been publicly stored since 2012 and were accessible to over 20,000 Facebook employees. The DPC clarified that these passwords were not accessible to any third parties.
The Commission determined that Meta had violated several provisions of the General Data Protection Regulation (GDPR) adopted by the European Union. It found that Meta failed to notify the DPC of the breach and did not adequately document it. Furthermore, the company was criticized for not implementing appropriate technical measures to protect user passwords. In addition to the hefty fine, Meta received a formal reprimand from the DPC, with the full decision expected to be released at a later date.
