Facebook Owner Meta Fined $100M Over Password Security Lapse

An Irish regulatory agency fined Facebook owner Meta more than $100 million for failing to properly encrypt users' passwords.

Ireland's Data Protection Commission said Friday it had levied the $101.5 million fine on Meta Platforms Ireland Limited as the result of an investigation that began in April 2019 when the tech giant informed DPC that it had "inadvertently" stored some users' passwords in plaintext on its internal systems without cryptographic protection or encryption.

The regulatory agency said Meta "did not use appropriate technical or organizational measures to ensure appropriate security of users' passwords against unauthorized processing."

DPC said Meta violated four sections of the European Union's General Data Protection Regulation.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said DPC Deputy Commissioner Graham Doyle in a statement.

"It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts," it continued.

Meta, in a statement to Infosecurity Magazine, said they alerted authorities about the users' passwords immediately.

"As part of a security review in 2019, we found that a subset of FB users' passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly," the statement said.

The EU regulations require data companies to report and document breaches of personal data and to notify authorities of the problem "without undue delay."

"A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data," DPC said.