Meta Fined Over $102 Million by EU for 2019 Password Security Breach

---

 

Meta has been fined over $102 million by the European Union’s lead privacy regulator for storing some users’ passwords in plaintext without encryption or protection in 2019. The breach, which Meta reported to Ireland’s Data Protection Commission (DPC) at the time, involved passwords being temporarily stored in a readable format. Although Meta quickly fixed the issue and there was no evidence of abuse or unauthorized access, the incident highlighted significant security lapses. The fine underscores the importance of stringent data protection practices, especially concerning sensitive user information like passwords.

 

 

---

 

Meta has been fined over $102 million (€91 million) by the European Union’s privacy regulator following a significant 2019 incident where the company inadvertently stored users’ passwords without encryption or adequate protection. This fine was issued by the Irish Data Protection Commission (DPC), which acts as the lead privacy regulator in the EU for Meta, due to the company’s European headquarters being located in Ireland.

The inquiry into this issue began five years ago when Meta, formerly known as Facebook, alerted the DPC that a number of user passwords had been stored in ‘plaintext,’ meaning they were not encrypted or hashed, which is a fundamental security measure in the protection of sensitive data. Meta publicly acknowledged the problem at the time, clarifying that the passwords were not exposed to any external parties and that the oversight was identified during an internal security review.

Graham Doyle, the Deputy Commissioner of the Irish DPC, emphasized the seriousness of the lapse by stating, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from unauthorized access to such data.” The absence of encryption on these passwords posed a significant risk, as plaintext passwords are highly vulnerable to misuse if accessed by malicious actors.

In response to the incident, a Meta spokesperson explained that a security review conducted in 2019 found that a “subset” of Facebook users’ passwords had been “temporarily logged in a readable format.” The company acted promptly to address the issue, implementing corrective measures immediately after discovering the error. Meta reiterated that there is no evidence to suggest that these passwords were accessed improperly or abused in any way.

In their statement, Meta further elaborated on their proactive stance during the investigation: “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.

The fine underscores the European Union’s stringent stance on data privacy and security, especially under the General Data Protection Regulation (GDPR), which mandates strict protocols for the handling and protection of personal data. The substantial penalty serves as a reminder to organizations of the critical importance of maintaining robust security measures to protect user information and the potential consequences of lapses in data protection.