Ireland’s privacy regulator has fined Meta Platforms, whopping €91 million over a security flaw in its internal systems that came to light five years ago, and DPC has reprimanded.
In January 2019, Meta discovered that it had stored several hundred million account passwords in an unencrypted or plaintext format. The issue mostly affected users of Facebook Light, Tens of millions of other Facebook users were affected as well, along with a smaller number of Instagram accounts.
Meta disclosed the issue in March 2019 following the routine security review. Meta said it didn’t find any signs that the data left its internal systems or may have been accessed by an employee without permission. DPC is responsible for enforcing Meta’s compliance with the EU’s GDPR privacy law.
DPC launched a probe into the plaintext passwords in April 2019. This past June, it determined that the way Meta stored the data breached four GDPR provisions. Two of the four GDPR provisions that Meta failed to implement define how companies must respond to so-called personal data breaches.
Meta was found to have run afoul of a GDPR provision that requires companies to thoroughly document personal data breaches. Additionally, Meta failed to comply with a section of the law that defines how such incidents must be disclosed to regulators. The GDPR mandates, among other things, that companies notify authorities of a data breach within 72 hours of discovering it.
The two other GDPR provisions that Meta breached specify steps a company must take to protect user data. A
- The first clause mandates the implementation of “appropriate technical or organisational measures” for securing user passwords.
- The second clause specifies that companies must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Today’s DPC decision doesn’t mark the first time that Meta has been fined in Ireland over GDPR compliance issues.
In September 2022, the company received a €405 million penalty after regulators determined that Instagram had failed to protect children’s privacy adequately. A few months later, the DPC fined Meta another €265 million over weak security settings that allowed hackers to download a large quantity of user data.
Nice information ℹ️