Meta has been fined €91M ($101M) after it was discovered that to 600 million Facebook and Instagram passwords had been stored in plain text.
Some of those passwords had been unprotected since 2012, and were searchable by more than 20,000 Meta employees …
The security breach was discovered in 2019, but had reportedly existed for seven years, as Engadget reports.
While Meta didn’t say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in the company’s servers since 2012.
Not only did Meta break the law by failing to protect the passwords in the first place, but it also failed to comply with its legal obligation to promptly report the matter to the regulator once it was discovered.
The Irish Data Protection Commission (DPC) found that Meta violated several GDPR rules related to the breach. It determined that the company failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without undue delay and failed to “document personal data breaches concerning the storage of user passwords in plaintext.” It also said that Meta violated the GDPR by not using appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
9to5Mac’s Take
A $101M fine seems rather small for a breach of this severity over such a long period of time. With email addresses and passwords, an attacker could have taken over hundreds of millions of Facebook and Instagram accounts.
For Facebook in particular, it would have exposed posts which were deliberately limited to a small audience of close friends for privacy reasons.
Europe’s GDPR law allows companies to be fined up to 4% of their global revenue for breaches of privacy requirements, so there was scope here for a much more meaningful fine. It’s only when regulators start levying fines that will lead to senior execs losing sleep that we’ll see companies take privacy breaches with the level of seriousness they deserve.
Photo by Mourizal Zativa on Unsplash
FTC: We use income earning auto affiliate links. More.