General Data Protection Regulation (GDPR)
,
Governance & Risk Management
,
Password & Credential Management
Fine Is For 2019 Disclosure That Meta Stored User Passwords In Plaintext
The Irish data regulator fined social media giant Meta 91 million euros after an investigation found the company insecurely stored passwords of millions of European Facebook and Instagram users.
See Also: How Enterprise Browsers Enhance Security and Efficiency
The Data Protection Commissioner’s Office launched an investigation into Meta Ireland in 2019 after the company informed the regulator that it accidentally stored the passwords of Facebook and Instagram users in plain text.
The agency said Friday that Meta, by storing passwords less securely, violated multiple privacy requirements under the General Data Protection Regulation.
These include failing to timely notify regulator of an incident, not documenting the impact of the incident on users’ personal data, not implementing appropriate technical safeguards to secure users’ data, as well as failing to ensure the confidentiality of the data.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Deputy Commissioner Graham Doyle. “Password, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media.”
A Meta spokesperson said the company identified the problem following a security review in 2019 and that it took “immediate action” to fix the issue.
“There is no evidence that these passwords were abused or accessed improperly. We have engaged constructively with the UK DPC throughout this inquiry,” the spokesperson told Information Security Media Group. The statement echoes what the company said in disclosing the incident, writing in 2019 that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.” It estimated the number of affected accounts as numbering in the hundreds of millions.
The spokesperson added it has strengthened its multi-factor authentication and end-to-end encryption to offer enhanced security for its users since 2019.
Meta in recent months faced several regulatory actions from European data regulators over its privacy practices.
The company in June temporarily halted its plans to train its artificial intelligence system with data harvested from European Instagram and Facebook users after coming under pressure from the Irish DPC and other European data protection authorities. The DPC in 2022, fined Meta 265 million euros after the company exposed data of 533 million users, which included names, phone numbers and birthdates from consumers in 106 countries (see: Meta Fined by Irish Privacy Regulator for GDPR Violations).