Meta spanked for violating GDPR as it stored 600 million social media account passwords in plaintext
In a day and age when online security is more important than ever, Meta Platforms Ireland Limited (MPIL).was found to have stored over 600 million passwords belonging to Instagram and Facebook users in plaintext. Some of these passwords have been around in this form for more than 10 years. The sunshine first fell on this subject matter in 2019 when Facebook, now known as Meta, admitted to the Data Protection Commission (DPC) that hundreds of millions of passwords were stored inadvertently unencrypted in plaintext.
After a five-year investigation by the DPC, Meta's operations in Ireland were fined $101.5 million. Meta was found to have violated Europe's General Data Protection Regulation (GDPR) by not storing the passwords of many Instagram and Facebook users in a more secure manner. Meta claimed that these unencrypted passwords were not available to people outside of the company. However, the company did admit that 2,000 engineers had made 9 million queries regarding this specific user database.
The DPC's decision found that Meta Platforms Ireland Limited (MPIL) failed to follow GDPR rules by committing the following violations:
Article 33(1)-MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
Article 33(5)-MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
Article 5(1)(f)-MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and
Article 32(1)-MPIL did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
Article 33(5)-MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
Article 5(1)(f)-MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and
Article 32(1)-MPIL did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."-Graham Doyle, Deputy Commissioner at the DPC
The decision by the DPC requires Meta to issue a reprimand pursuant to Article 58(2)(b) GDPR; and pay the aforementioned 91 million Euro fine ($101.5 million). The DPC added that it will publish the full Decision and further related information in due course. It is believed that the passwords included in the ruling only cover non-US users. In 2019, Meta told CNN that the majority of the plaintext passwords were for a service called Facebook Lite which was a less comprehensive social media service for areas of the world that had slower internet connectivity.
The Irish Data Protection Commission fines Meta the equivalent of $101.5 million for violating the GDPR. | Image credit-Data Protection Commission
Meta owns Facebook, Messenger, Instagram, and WhatsApp.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: