Meta Fined €91 Million for Password Storage Error
Posted: Sun Sep 29, 2024 12:48 am
The European Union’s lead privacy regulator, Ireland’s Data Protection Commission (DPC), has fined Meta €91 million ($101.5 million) for storing some users' passwords in an unprotected format. The fine follows a five-year investigation into Meta’s practices, triggered by a 2019 security incident.
Graham Doyle, Deputy Commissioner of the DPC, emphasized the risks associated with storing passwords in plaintext: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from unauthorized access to such data.”
In 2019, Meta self-reported to the DPC that some users’ passwords had been stored in plaintext, a format that leaves data vulnerable to unauthorized access. Meta publicly acknowledged the error at the time and assured regulators that no external parties had accessed the exposed passwords.Plaintext Password Storage Identified
Graham Doyle, Deputy Commissioner of the DPC, emphasized the risks associated with storing passwords in plaintext: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from unauthorized access to such data.”
According to Meta, the error was identified during a routine security review, and the company took immediate steps to resolve the issue. A Meta spokesperson stated that no evidence was found suggesting that the passwords were accessed or misused. The company also engaged constructively with the DPC throughout the investigation, which spanned several years.Meta’s Immediate Response
Ireland’s DPC acts as the lead regulator for many U.S. tech firms under the General Data Protection Regulation (GDPR) due to their European operations being based in Ireland. The DPC has fined Meta a total of €2.5 billion since the GDPR’s introduction in 2018, including a record-breaking €1.2 billion penalty in 2023, which Meta is currently appealing.DPC’s Role and Previous Fines
While Meta has cooperated with regulators, the company continues to face scrutiny for its data practices in Europe. The DPC and other EU regulators are increasingly vigilant about ensuring tech companies comply with stringent data protection laws under GDPR.Ongoing Scrutiny and GDPR Compliance