Meta fined $101.5M for 2019 breach that exposed hundreds of millions of Facebook passwords

Date:

Share post:


Reset your clocks: Meta has been hit with yet another privacy penalty in Europe. On Friday, Ireland’s Data Protection Commission (DPC) announced a reprimand and a €91 million fine — around $101.5M at current exchange rates — after concluding a multi-year investigation into a 2019 security breach by Facebook’s parent company.

The DPC opened a statutory inquiry into the incident in question in April 2019 under the bloc’s General Data Protection Regulation (GDPR) after Meta, or Facebook as the company was still called back then, notified it that “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.

The security incident is a legal issue in the European Union because the GDPR requires that personal data is appropriately secured.

After investigating, the DPC has concluded that Meta failed to meet the bloc’s legal standard since the passwords were not protected with encryption. It created a risk as third parties could potentially access people’s sensitive information stored in their social media accounts.

The regulator, which leads on oversight of Meta’s GDPR compliance, also found Meta broke the rules by failing to notify it of the breach within the required timeframe (the regulation generally stipulates breach reporting should take place no later than 72 hours after becoming aware of it). Meta also failed to properly document the breach, per the DPC.

Commenting in a statement, deputy commissioner Graham Doyle wrote: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

Reached for a response to its latest GDPR sanction, Meta spokesperson Matthew Pollard emailed a statement in which the company sought to play down the finding by claiming it took “immediate action” over what had been an “error” in its password management processes.

As part of a security review in 2019, we found that a subset of FB [Facebook] users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta wrote. “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.

Meta had already racked up a majority of the largest GDPR penalties handed out to tech giants so the latest sanction merely underscores the scale of its problems with privacy compliance.

The penalty is notably stiffer than a €17M fine the DPC handed to Meta in March 2022 over a 2018 security breach. The Irish regulator has had a change of senior management since then. However the two incidents are also different: Meta’s earlier security lapses affected up to 30 million Facebook users compared to the hundreds of millions whose passwords were said to have been exposed as a result of its failure to secure passwords in 2019.

The GDPR empowers data protection authorities to issue fines for breaches where the amount of any penalties is calculated based on factors such as the nature, gravity and duration of the infringement; the scope or purpose of the processing; and the number of data subjects affected and level of damage suffered, among other considerations.

The highest possible penalty under the GDPR is 4% of global annual turnover. So, in Meta’s case, a €91M fine may sound like a significant chunk of change — but it remains a tiny fraction of the billions the company could theoretically face, given its annual revenue for 2023 was a staggering $134.90B.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Sony’s CES 2025 press conference: How to watch

Sony knows how to put on a show at CES. The company’s pressers are high octane, star-studded...

Samsung’s CES 2025 press conference: How to watch

Samsung’s CES presser is always an odd duck. The Korean electronics giant generally keeps its powder dry...

Watch Boston Dynamics’ electric Atlas do a backflip

A little early holiday surprise from Boston Dynamics this week, as Santa suit-wearing electric Atlas performs a...

Shuttered electric air taxi startup Lilium may be saved after all

A consortium of investors has resurrected Lilium just days after the electric air taxi startup ceased operations...

These are the cybersecurity stories we were jealous of in 2024

Since 2018, along with colleagues first at VICE Motherboard, and now at TechCrunch, I have been publishing...

Proton’s device aims to help those with kidney disease, and cut heart failure risks

People with chronic kidney disease, or those at risk of heart failure, are greatly affected by potassium...

Halide’s next version will come with new film filters, HDR

Lux, which makes the iPhone camera app Halide, published a roadmap on Monday detailing the app’s next...

Hyundai is giving away free Tesla NACs adapters to its EV customers

Hyundai said Monday it will send customers who have bought or leased an EV before January 31...