Meta, the parent company of Facebook and Instagram, was fined $106 million by the Irish regulator for storing the passwords of hundreds of millions of users in clear text on its internal servers. A practice that violates the European Data Protection Regulation (GDPR).
Up to 600 million passwords exposed
According to information revealed in 2019, up to 600 million Facebook and Instagram passwords were stored in plain text, without any encryption. Some of them had been in this vulnerable state since 2012 and more than 20,000 Meta employees could access them.
Mark Zuckerberg’s firm then recognized an “error” and assured that it had taken immediate measures to remedy it. But this was not enough to avoid the wrath of the Irish Data Protection Commission (DPC), which acts as European policeman for Meta, whose headquarters is in Dublin.
Multiple GDPR violations
After a lengthy investigation, the DPC concluded that Meta had violated several GDPR rules. The social media giant failed to notify the regulator of this security breach within the required time frame, failed to properly document the incident and failed to put in place appropriate technical measures to protect passwords.
“It is commonly accepted that passwords should not be stored in plain text, given the risks of abuse that arise from access to this data,” stressed DPC Deputy Commissioner Graham Doyle. With email addresses and passwords, an attacker could have taken control of hundreds of millions of accounts.
A fine deemed too lenient
Although the fine of $106 million may seem substantial, it remains relatively modest given the seriousness and duration of this security breach. The GDPR allows sanctions of up to 4% of global turnover to be imposed.
Meta already has the largest fines for GDPR violations, including $1.31 billion for illegally transferring data from European Facebook users outside the EU. But for the Californian giant to really take the protection of privacy seriously, it would probably have to hit the wallet even harder.
Meta is the GAFAM company most sanctioned by European authorities for GDPR violations, and it doesn’t seem to be stopping. Apple, which has other setbacks linked to DMA and DSA, is not known for taking the protection of its users’ data lightly. For good reason, the company is almost never sanctioned and this is a major argument in its marketing.