Meta was fined €91 million for storing millions of Facebook and Instagram passwords in plaintext.
The Irish Data Protection Commission (DPC) fined Meta €91 million ($101.56 million) as part of an investigation into a security breach in March 2019, when the firm revealed that it had erroneously saved customers' passwords in plaintext on its systems.
The DPC initiated an inquiry the following month, and discovered that the social media behemoth violated four separate sections of the European Union's General Data Protection Regulation (GDPR).
To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, disclose personal data breaches including the storage of user passwords in plaintext, and implement appropriate technical means to maintain the secrecy of users' passwords.
Meta first reported that the privacy breach resulted in the exposing of a portion of users' Facebook passwords in plaintext, but there was no evidence that they were unlawfully accessed or exploited internally.
According to Krebs on Security, some of these passwords date back to 2012, with a senior employee claiming that "some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords."
A month later, the business admitted that millions of Instagram passwords were saved in a similar manner, and it is alerting affected users.
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Graham Doyle, deputy commissioner at the DPC, stated in a press release.
"It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
In a statement to the Associated Press, Meta said it took "immediate action" to correct the error and "proactively flagged this issue" to the DPC.
Source: The Hacker News