The Information Safety Fee (DPC) in Eire has fined Meta Platforms Eire Restricted (MPIL) €91 million ($100 million) for storing in plaintext passwords of tons of of thousands and thousands of customers.
The incident occurred in 2019. On the time, Meta disclosed it publicly and notified DPC, which initiated an investigation into the tech big’s practices for storing delicate person information.
“In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption),” reads DPC’s announcement.
Within the 2019 disclosure, Meta stated that it had discovered “some user passwords” saved on its methods in a readable format throughout a routine safety evaluate firstly of the 12 months.
Though the corporate didn’t say what number of customers have been impacted, it estimated that it might notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users” and thousands and thousands of Instagram customers.
It’s price noting that the passwords have been accessible to exterior events and the evaluate discovered no proof of abuse or improper entry.
Storing person account passwords with out correct protections, resembling encryption and entry management constitutes a violation of a number of Basic Information Safety Regulation (GDPR) articles regarding measures information controllers implement to ensure the safety of individuals’s information:
- Article 33(1) – Notification of a Private Information Breach: Meta didn’t notify the DPC in a well timed method that that they had saved person passwords in plaintext, which constitutes a private information breach.
- Article 33(5) – Documentation of a Private Information Breach: Meta didn’t correctly doc the non-public information breaches associated to the storage of person passwords in plaintext, failing to keep up enough data of the incident.
- Article 5(1)(f) – Integrity and Confidentiality: Meta didn’t implement enough safety measures to make sure the safety of customers’ passwords, as they have been saved in plaintext, missing encryption or cryptographic safety.
- Article 32(1) – Safety of Processing: Meta didn’t implement applicable technical and organizational measures to guard the passwords, resembling encryption, which might have maintained the confidentiality of the info and decreased the chance of unauthorized entry.
For the above violations, and making an allowance for that Meta knowledgeable the Irish information safety authority voluntarily DPC imposes an official reprimand and an administrative advantageous of €91 Million.
The DPC will publish at a later date its full choice and knowledge associated to the incident, the company stated.
