Eire’s Knowledge Safety Fee (DPC) fined Meta $101.5 million (€91 million) after concluding an investigation right into a 2019 safety breach through which the corporate mistakenly saved person passwords in plain textual content. Meta’s preliminary announcement solely talked about how in January of that yr some person passwords had been found saved in plain textual content on its servers. However a month later, it up to date its announcement to disclose that hundreds of thousands of Instagram passwords had been additionally saved in an easy-to-read format.
Whereas Meta didn’t disclose what number of accounts had been affected, a senior worker instructed Krebs talks security At the moment, the incident concerned as many as 600 million passwords. Since 2012, some passwords have been saved on the corporate’s servers in an simply readable format. Greater than 20,000 Fb workers had been reportedly additionally capable of seek for the passwords, though the DPC clarified in its choice that at the very least the passwords wouldn’t be made out there to exterior events.
The DPC discovered that Meta breached a number of GDPR guidelines associated to this breach. It decided that the corporate didn’t “notify the DPC of a private information breach through which person passwords had been saved in clear textual content” with out undue delay and didn’t “doc a private information breach through which person passwords had been saved in clear textual content”. It additionally stated that Meta breached the GDPR by failing to make use of acceptable technical measures to make sure the safety of customers’ passwords and forestall unauthorized processing.
“Given the danger of abuse posed by folks accessing such information, it’s usually accepted that person passwords shouldn’t be saved in clear textual content. It have to be remembered that the passwords thought of on this case are notably delicate as they supply entry to the person’s social media media accounts,” DPC deputy commissioner Graham Doyle stated in a press release.
Along with the penalty, the DPC additionally reprimanded the corporate. We’ll probably know extra about what this implies for Meta when the committee releases the complete closing choice and different related data sooner or later.
