Meta Fined $101.5 Million for a Breach That Affected Millions of Users

• A 2019 breach left the passwords of hundreds of millions of Meta users exposed as they were stored in simple plain text with no encryption.
• Hence, Ireland's Data Protection Commission (DPC) imposed a 91 million ($101.5 million) fine on Meta.
• The company addressed the issue and said it had taken immediate action to fix its mistake.

On Friday, Ireland's Data Protection Commission (DPC) slapped Meta with a 91 million ($101.5 million) fine for the 2019 breach that left the passwords of hundreds of millions of users exposed.

The investigation started in April 2019 and Meta (then known as Facebook) was accused of violating the bloc's General Data Protection Regulation (GDPR). This law requires companies to properly encrypt and secure the personal data of their users.

However, after the breach it was found that Meta had stored all those leaked passwords in simple plaintext on its server - no encryption in place. This made it easier for any third party to access the data.

The second accusation against the company is that it failed to notify about the breach in the legally required timeframe which is 72 hours. In addition, it also failed to properly document the breach.

It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data" - Deputy Commissioner, Graham Doyle

What Does Meta Have to Say About This?

Meta spokesperson Matthew Pollard addressed the decision and said that they have been notified about the issue and have taken immediate action on this error" in password management.

The company further said that these passwords were only temporarily stored in plaintext on the servers. Nevertheless, action has been taken and thankfully there is no evidence that these passwords were misused.

We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry," - Meta

Meta's Previous Troubles With the GDPR

This isn't the first time that the company has been accused of violating the GDPR and fined. Most of the largest fines that have been handed out in the EU to tech companies were imposed on Meta.

• For instance, in 2022 the DPC imposed a 17 million fine on the company for a 2018 breach.
• In November 2022, it was fined $275 million for failing to protect the data of 500 million Facebook users which was leaked during a hack.
• Then in May 2023, it was fined a $1.3 billion fine for violating EU data privacy rules.
• In July 2023, Norway imposed a daily fine of $100k million (until Meta fixed the issue) for privacy breaches.

But none of its previous breaches were as impactful as this one.

In all its previous security incidents, at most 30 million users have been affected in any single breach. But this time, hundreds of millions have been exposed. And since the GDPR fine is calculated on factors such as nature, impact, duration, and seriousness of the issue, this time around the company was hit by such a massive fine.

But it's still nowhere near the highest fine that can be imposed on it, which is 4% of its annual global revenue. Its annual revenue for 2023 was $134.90 billion.

The post Meta Fined $101.5 Million for a Breach That Affected Millions of Users appeared first on The Tech Report.