Meta Fined $101.5M in 2019 Breach Exposing Millions of Facebook Passwords
Meta, the parent company of Facebook, has been hit with a significant fine of €91 million (approximately $101.5 million USD) by Ireland’s Data Protection Commission (DPC) following a multi-year investigation into a major security breach that occurred in 2019.
The breach in question involved the storage of hundreds of millions of Facebook user passwords in plaintext, a practice that severely violated the General Data Protection Regulation (GDPR) rules. The DPC found that Meta failed to meet the legal standard for data security by not encrypting these passwords, thereby creating a substantial risk that third parties could access users' sensitive information stored in their social media accounts.
In addition to the improper storage of passwords, the investigation revealed other critical lapses in Meta's compliance with GDPR. The company was found to have failed to notify the DPC of the breach within the required 72-hour timeframe, as stipulated by the regulation. Moreover, Meta did not properly document the breach, further exacerbating the regulatory violations.
The DPC's findings underscore the gravity of the situation, with Deputy Commissioner Graham Doyle emphasizing the sensitivity of the compromised data and the unacceptable storage practices that exposed users’ passwords. This incident highlights ongoing concerns about Meta's ability to ensure user privacy and data security, particularly given the company's history of similar breaches. For instance, Meta was also fined €17 million for a 2018 breach, indicating a pattern of security lapses.
In response to the fine, a Meta spokesperson, Matthew Pollard, stated that the company had taken "immediate action" to rectify the issue. Despite this, Pollard acknowledged that there was no evidence of improper access to the exposed passwords. However, the recent fine underscores the need for more stringent measures to protect user data and comply with regulatory requirements.
The fine is a result of the DPC's role in overseeing Meta's GDPR compliance, and it serves as a reminder of the stringent data protection laws in place within the European Union. The investigation and subsequent penalty reflect the regulatory body's commitment to enforcing these laws and ensuring that companies like Meta adhere to the highest standards of data security and user privacy.