Meta slapped with €91 million fine by Ireland over massive password breach

September 27, 2024 05:38 AM PDT | By Invezz

Meta slapped with €91 million fine by Ireland over massive password breach — Image source: Invezz

Meta hit with hefty fine over major security lapses

In April 2019, Meta notified the Irish DPC that it had “inadvertently stored certain passwords of social media users” in an unprotected, readable format on its internal systems.

This discovery prompted an inquiry by the DPC, which found that Meta’s storage practices posed a significant security risk to users.

The passwords, stored in plain text, left millions of accounts vulnerable to potential misuse by unauthorised parties who could access the sensitive information.

The DPC’s investigation revealed that 36 million users across the EEA, which includes the EU, Iceland, Liechtenstein, and Norway, were impacted by the breach.

Although Meta stated that there was no evidence the passwords had been accessed or misused, the regulator deemed the company’s actions insufficient in protecting users’ data and issued a hefty fine in response to the violation.

Meta’s delay escalates the fine

Another critical factor in the DPC’s decision was the delayed reporting of the breach by Meta.

Although the company discovered the issue in January 2019, it failed to alert the regulator until March of that year, leaving millions of users’ personal information exposed for months without action.

The DPC was quick to point out that the delay in reporting was a breach of GDPR regulations, which require companies to notify authorities within 72 hours of identifying such incidents.

This delay only compounded the seriousness of the breach, as it gave malicious actors more time to potentially exploit the vulnerability.

The DPC cited Meta’s handling of the situation as inadequate, noting that the social media giant’s lack of appropriate security measures directly contributed to the data exposure.

Meta’s reaction and next steps

In its defence, Meta explained that the password issue occurred due to an internal error and that the problem was resolved promptly after its discovery.

The company claims that the error affected only a limited number of users, and it proactively notified the DPC once the issue was identified.

Meta further stated that there was no evidence to suggest the passwords were ever accessed or used for malicious purposes.

Despite these assurances, the DPC emphasised that storing passwords in plaintext is a serious violation of basic cybersecurity principles.

The commission highlighted that best practices dictate that sensitive data, including passwords, should always be stored in an encrypted format to prevent misuse in the event of unauthorised access.

Financial and reputational implications for Meta

The €91 million fine represents a significant financial penalty for Meta, but the reputational damage may be even more costly.

With increasing scrutiny on how tech giants handle personal data, particularly in light of GDPR regulations, the incident adds to the growing list of challenges Meta faces in the EU.

The breach serves as a stark reminder of the importance of robust cybersecurity measures, especially when it comes to handling sensitive user information.

This latest fine adds to a series of regulatory actions taken against Meta by European authorities.

With the company’s vast user base and substantial influence, incidents like these further fuel concerns over how it handles the personal data entrusted to it by millions of people worldwide.

Strengthened regulatory oversight

The DPC’s decision to impose a significant fine on Meta sends a clear message to other companies operating in the EU: failure to adhere to GDPR standards will result in serious consequences.

In addition to the financial penalty, Meta’s handling of the breach underscores the need for enhanced regulatory oversight in the tech industry.

As cyberattacks and data breaches become increasingly common, regulators around the world are stepping up efforts to hold companies accountable for lapses in security and transparency.

For Meta, the €91 million fine could be just the beginning, as the company continues to face scrutiny over its data privacy practices across multiple jurisdictions.

The post Meta slapped with €91 million fine by Ireland over massive password breach appeared first on Invezz

Disclaimer

The content, including but not limited to any articles, news, quotes, information, data, text, reports, ratings, opinions, images, photos, graphics, graphs, charts, animations, and video (Content) is a service of Kalkine Media LLC., having Delaware File No. 4697309 (“Kalkine Media, we or us”) and is available for personal and non-commercial use only. The principal purpose of the Content is to educate and inform. The Content does not contain or imply any recommendation or opinion intended to influence your financial decisions and must not be relied upon by you as such. Some of the Content on this website may be sponsored/non-sponsored, as applicable, but is NOT a solicitation or recommendation to buy, sell or hold the stocks of the company(s) or engage in any investment activity under discussion. Kalkine Media is neither licensed nor qualified to provide investment advice through this platform. Users should make their own enquiries about any investments and Kalkine Media strongly suggests the users to seek advice from a financial adviser, stockbroker or other professional (including taxation and legal advice), as necessary. Kalkine Media hereby disclaims any and all the liabilities to any user for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising from any use of the Content on this website, which is provided without warranties. The views expressed in the Content by the guests, if any, are their own and do not necessarily represent the views or opinions of Kalkine Media.
The content published on Kalkine Media also includes feeds sourced from third-party providers. Kalkine does not assert any ownership rights over the content provided by these third-party sources. The inclusion of such feeds on the Website is for informational purposes only. Kalkine does not guarantee the accuracy, completeness, or reliability of the content obtained from third-party feeds. Furthermore, Kalkine Media shall not be held liable for any errors, omissions, or inaccuracies in the content obtained from third-party feeds, nor for any damages or losses arising from the use of such content. Some of the images/music that may be used on this website are copyrighted to their respective owner(s). Kalkine Media does not claim ownership of any of the pictures/music displayed/used on this website unless stated otherwise. The images/music that may be used on this website are taken from various sources on the internet, including paid subscriptions or are believed to be in public domain. We have used reasonable efforts to accredit the source (public domain/CC0 status) to where it was found and indicated it, as necessary.
This disclaimer is subject to change without notice. Users are advised to review this disclaimer periodically for any updates or modifications.