It was determined by the Irish Data Protection Commission that the corporation had broken a number of the GDPR regulations.
After concluding an investigation into a security breach that occurred in 2019, the Irish Data Protection Commission (DPC) has imposed a fine of $101.5 million (€91 million) on Meta. The breach occurred when the firm saved the passwords of its users in plain text by accident. Only the fact that Meta discovered some user credentials stored in plain text on its servers in January of that year was included in the initial notice that the company made. However, a month later, it revised its disclosure to reveal that millions of Instagram passwords were also stored in a way that was easily readable.
According to a senior employee who spoke with Krebs on Security at the time, the breach involved as many as 600 million credentials. However, Meta did not publicly disclose the number of accounts that were compromised. Since 2012, the servers of the corporation had been storing a number of the passwords in a format that was simple to read or understand. They were also apparently searchable by more than 20,000 workers of Facebook; however, the DPC has underlined in its ruling that they were not made available to any third parties outside of Facebook.
It was determined by the DPC that Meta had broken multiple GDPR provisions in connection with the incident. The investigation came to the conclusion that the company had failed to “document personal data breaches concerning the storage of user passwords in plaintext” and had failed to “notify the DPC of a personal data breach concerning storage of user passwords in plaintext” without undue delay. Additionally, it was stated that Meta had broken the General Data Protection Regulation (GDPR) by failing to implement suitable technical safeguards to protect the confidentiality of users’ passwords from being mishandled.
When taking into consideration the potential for misuse that can result from someone gaining access to such data, it is generally agreed upon that user passwords should not be maintained in plaintext. Graham Doyle, the Deputy Commissioner of the Department of Public Safety, issued a statement in which he stated that it is imperative to keep in mind that the passwords that are being considered in this particular instance are very sensitive since they would provide access to the social media accounts of users.
A reprimand has been issued to the corporation by the DPC in addition to the penalty that was handed down. It is possible that we will have a better understanding of what exactly that means for Meta when the commission publishes its entire final decision and any additional information that is associated with it in the future.