The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users’ passwords in plaintext in its systems.
The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union’s General Data Protection Regulation (GDPR).
To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data breaches concerning the storage of user passwords in plaintext, and utilize proper technical measures to ensure the confidentiality of users’ passwords.
Meta originally revealed that the privacy transgression led to the exposure of a subset of users’ Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or abused internally.
According to Krebs on Security, some of these passwords date back to 2012, with a senior employee stating “some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords.”
A month later, the company acknowledged that millions of Instagram passwords were also stored in a similar manner, and that it’s notifying affected users.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at the DPC, said in a press statement.
“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
In a statement shared with Associated Press, Meta said it took “immediate action” to fix the error, and that it “proactively flagged this issue” to the DPC.