Meta is once again in the spotlight as it faces a hefty $101 million fine from Ireland’s Data Protection Commission (DPC). The fine stems from a 2019 incident where Meta, the parent company of Facebook and Instagram, discovered that it had accidentally stored user passwords in plaintext. This serious oversight was deemed a violation of the European Union’s General Data Protection Regulation (GDPR), which mandates stringent measures for protecting user data.
How Did This Happen?
Back in 2019, Meta uncovered that it had been storing Facebook passwords on internal servers in plaintext rather than encrypting them, which is a fundamental security practice. Even though the servers were internal, as many as 20,000 employees had access to them, potentially bypassing company security protocols. Not long after, Meta also realized that millions of Instagram users’ passwords were similarly affected.
Although the company publicly disclosed the breach and promised to enhance its security practices, Ireland’s DPC determined that Meta’s storage method for these passwords violated GDPR rules, particularly the requirement to secure personal data with appropriate safeguards.
Delay in Decision: Why Now?
Interestingly, the decision to fine Meta comes years after the incident, raising questions about the delay. While the DPC has not provided a clear reason for taking so long to conclude its investigation, it has stated that it will publish the full decision, along with further details, in the near future. This extended timeline has led to speculation, but the commission remains firm in its stance that Meta did not meet GDPR standards in its handling of user passwords.
Meta’s Response and Immediate Action
Meta, while acknowledging the issue, has yet to confirm whether it plans to pay the fine. However, the company emphasized that it acted swiftly once it identified the problem. In a statement to PCMag, Meta explained:
“As part of a security review in 2019, we found that a subset of Facebook users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”
Meta also noted that it had proactively flagged the issue to its lead regulator, the Irish Data Protection Commission, and cooperated throughout the investigation.
The Importance of Data Security
This incident serves as a stark reminder for all companies, not just Meta, about the importance of securing user data properly. Storing passwords in plaintext, even temporarily, opens the door to potential breaches and severe legal consequences. While Meta has taken steps to rectify the situation, the fine highlights the high stakes involved in adhering to data privacy laws, particularly in regions governed by the GDPR.
For users, the incident underscores the need for vigilance regarding personal data and the importance of using strong, unique passwords across platforms. Companies, on the other hand, must constantly review and update their security protocols to avoid similar missteps.
