The Irish Data Protection Commission (DPC) penalized Meta, the Facebook owner for violating the General Data Protection Regulation (GDPR) in Ireland.
The tech giant was levied a fine worth €91 million ($101.56 million) for failing to promptly notify the DPC of a data breach. Particularly, Meta failed to record personal data breaches regarding the storage of user passwords in plaintext.
Meta's response to the data breach was not only insufficient but also the firm neglected to implement the necessary technical measures to ensure the confidentiality of users' passwords, compromising security.
DPC’s investigation uncovered that the data breach exposed a large number of user passwords which potentially allowed unauthorized access to accounts on its applications.
The investigation dates back to 2019 when Meta disclosed a data breach in March 2019 when the US-based tech firm accidentally stored users' passwords in plaintext in its systems.
In the past, Meta reported a privacy transgression that led to the exposure of a subset of users’ Facebook passwords in plaintext. However, the firm then denied evidence of improper access or internal abuse.
However, that revelation triggered the DPC to launch a deep investigation into Meta's latest incident to determine if GDPR had been violated.
Graham Doyle, the deputy commissioner said that it’s “widely accepted” for user passwords to not be stored in plaintext, “considering the risks of abuse.
‘No evidence of password abuse’
While Meta informed about a security review that spotted a “subset” of Facebook users’ passwords having been “temporarily logged in a readable format.”
In an official statement, Meta reported having taken immediate action to fix this error.
“There is no evidence that these passwords were abused or accessed improperly,” stated the tech giant.
Denying the allegations, Meta stated: “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
Javvad Malik, lead security awareness advocate from KnowBe4 told EM360Tech that the GDPR is clear in its requirements for prompt notification of data breaches and to see a company the size of Meta overlook this is concerning.
"What is particularly troubling about this incident is not just the storage of sensitive information in an insecure manner, but also the apparent delay in notifying the relevant regulators and impacted users,” added Javvad.
Ever since the Cambridge Analytica Scandal in the 2010s, Meta has been under close scrutiny by authorities around the world for data violation practices.
The scandal prompted the Facebook owner to pay a $725 million (£600 million) settlement in a legal action related to a data breach linked to political consultancy, Cambridge Analytica which continues to keep watchdogs on high alert.
This long-running dispute between Meta and the British company has attracted media attention worldwide as the social media conglomerate was accused of allowing third parties to access Facebook users' personal data for political advertising.
In particular, the accusation alleged that the personal data was used without the users' knowledge or consent to aid the political campaigns of conservative candidates in the 2016 US election.
Meta’s repeated GDPR violation draws scrutiny
Recently, Meta's social media platforms were also issued hefty fines by the Dublin-based watchdog. The tech giant was asked to pay a 405 million euro fine for Instagram over mishandling teen data, a 5.5 million euro penalty involving WhatsApp, and a 1.2 billion euro fine for Meta over transatlantic data transfers.
EM360Tech reported in November 2022 that Meta was fined €265 million ($275m) by the Irish DPC after the personal data of more than half a billion users was found on a hacking site.
The Irish DPC back then too discovered the social media giant to have broken multiple Data Protection Regulation (GDPR) laws after an inquiry about the 2021 April data breach which concluded that the company had failed to protect data of over 530 million Facebook users.
Krebs on Security noted that some of the passwords in Meta’s latest data violation date back to 2012. A senior employee stated that "some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords."
Instagram’s parent company addressed and acknowledged its mistake after a month, noting that millions of Instagram passwords were also stored in a similar manner and that it's notifying affected users.
"It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts,” stated Graham.
Javvad told EM360Tech that from a technical perspective, it may be easy to fix these issues. However, “it doesn't address the cultural perspective which organizations need to bear in mind in order to be effective in cultivating security responsibility throughout the organization.”
