Meta fined $101.5M for 2019 breach that exposed hundreds of millions of Facebook passwords

Reset your clocks: Meta has been hit with yet another privacy penalty in Europe. On Friday, the Irish Data Protection Commission (DPC) announced a penalty and fine of 91 million euros – about $101.5M at current exchange rates – after concluding a multi-year investigation into a 2019 security breach by the parent company of Facebook.

The DPC opened an official investigation into the incident in question in April 2019 under the bloc’s General Data Protection Regulation (GDPR) after Meta, or Facebook as the company was still called at the time, informed that “hundreds of millions” of user passwords. it was stored in plain text on its servers.

The security incident is a legal issue in the European Union because the GDPR requires that personal data be adequately protected.

After an investigation, the DPC concluded that Meta failed to meet the legal block standard as the passwords were not encrypted. It created a risk as third parties could access people’s sensitive information stored on their social media accounts.

The regulator, which is in charge of overseeing Meta’s GDPR compliance, also found that Meta violated the rules by failing to notify it of the breach within the specified time (the regulation generally states that reporting a breach must occur within 72 hours of becoming aware of it. ). Meta also failed to properly document the violation, per DPC.

Commenting in a statement, deputy commissioner Graham Doyle wrote: “It is widely accepted that user passwords should not be kept in plain text, given the risks of abuse posed by people who have access to such information.” It must be remembered that the passwords in question in this case are very sensitive, as they will enable users to access social media accounts.”

Reached in response to its latest GDPR sanctions, Meta spokesman Matthew Pollard sent a statement via email in which the company sought to reverse the findings by saying it had taken “prompt action” on what had been a “defect” in its password management procedures.

“As part of a security update in 2019, we discovered that a subset of FB [Facebook] User passwords are temporarily stored in a human-readable format within our internal data systems. We have taken immediate steps to correct this error, and there is no evidence that these passwords were abused or accessed improperly,” wrote Meta. “We have raised the issue with our lead regulator, the Irish Data Protection Commission, and have engaged with them constructively throughout the investigation.“

Meta had already copped most of the biggest GDPR fines handed down to tech giants so the latest sanctions underline the extent of its problems with privacy compliance.

The penalty is more severe than the €17M fine the DPC imposed on Meta in March 2022 for breaching the 2018 securities law. The Irish regulator has had a change of top management since then. However, these two cases are also different: The previous Meta security breach affected 30 million Facebook users compared to the hundreds of millions whose passwords were allegedly exposed due to their failure to protect passwords in 2019.

The GDPR empowers data protection authorities to issue fines for breaches where the amount of any fines is calculated based on factors such as the nature, gravity and duration of the breach; the scope or purpose of the processing; and the number of data subjects affected and the extent of the damage caused, among other considerations.

The highest possible fine under the GDPR is 4% of annual global turnover. So, in Meta’s case, the €91M fine may sound like chump change – but it’s still a small fraction of the billions the company could face, as its 2023 revenue was $134.90B.