Meta, a parent company that owns all the major social media platforms like Facebook, Instagram, and WhatsApp, received an enormous penalty of 91 million euros ($101.5 million) from the European Union’s chief data privacy regulator, Ireland’s Data Protection Commission (DPC), over an issue of how to treat user passwords. The heavy fine was the result of an investigation that unearthed Meta’s storage of some user passwords in an unprotected format called plaintext, which is a serious threat to privacy and security.
Know More About Meta Updates
This is the case in which, five years ago, Meta itself alerted the DPC to the storage of certain user passwords in plaintext format rather than the encrypted one. Password storage is an instance where encryption techniques have become the norm, since passwords are, in any case still secure even in incidences where unauthorized access may have been enabled. Meta has opened the vulnerability, which if exploited could be used to threaten serious privacy violations of affected users.
While Meta publicly admitted to the mistake upon discovering it, the DPC opened an investigation into the matter because the nature of the breach fell under what is classed as a serious infringement on the GDPR. Under the GDPR, a regulatory mechanism designed to safeguard people’s data, it requires companies that process personal information to meet specific security standards when handling users’ data. The storage of passwords in plaintext has been listed as one of the most severe violations of these security requirements.
Graham Doyle, Deputy Commissioner of the Irish DPC, addressed his opinion of why the fine was applied in a public statement. “Everyone in the data security community operates with the assumption that passwords should never be held in plaintext because of the imperative danger of abuse,” he said. Even if such an incident wasn’t accompanied by any known damage, the fact that passwords were kept in plaintext format is regarded as a major security failure that could have potentially led to serious results.
To understand why this was such a serious issue it’s necessary to know how plain text storage of passwords works. Normally, when users generate passwords, companies such as Meta use encryption algorithms to encode that information. Even if a hacker or unauthorized person accessed the database where the password was stored, he would not be able to read or use those passwords without decrypting them, which would be extremely time-consuming and computationally intensive. On the other hand, if passwords are stored in plaintext, they will be readable to whoever has access to the storage system.
In Meta, for example, Meta stored passwords in plaintext. However, there is no evidence those external parties or malicious actors actually accessed them. As a matter of fact, no breaches were found by Meta and the DPC which used this weakness. The internal security group at Meta noted the problem during its routine review in 2019 of current security practices. Meta responded promptly with corrective action.
According to a Meta spokesperson who repeated this point, this issue was fixed immediately upon its discovery. According to the same Meta spokesperson, there were no signs that these passwords were misused or accessed by unauthorized third parties; Meta cooperated fully with the DPC during its investigation. However, while assurances were no doubt made that passwords are not stored in some undisclosed format, such as hashed or encrypted, the fact that they were held at all in plaintext reflects a serious failure within the company’s internal processes, and it is where this failure has led to the heavy fine.
On Meta’s part, this fine isn’t just about that one password published in plaintext; it is part of a wider regulatory development across the EU in which this kind of outfit, the large technology companies, are going to be scrutinized more than ever on how they handle their user data. The DPC is an Irish supervising authority and is seen as a lead on privacy matters at Meta and some other giant American companies based in the European country. Under the new regulation, any company processing the personal data of EU citizens must comply with strict requirements of the GDPR on privacy and security, or suffer heavy financial penalties.
The new move by the DPC to apply a 91 million euro fine reflects how regulatory pressure is mounting on big techs to take their data protection practices seriously. The likes of Google, Amazon, and Meta have all faced investigations and penalties regarding privacy and security violations over the last few years in Europe. Fines remind companies today that the time for GDPR demands more action toward preventing data breaches.
It is quite remarkable that both parties collaborated through the most significant parts of the investigation. While there was little doubt that DPC considered the security breach seriously, Meta also showed remorse and cooperated constructively with the regulator during this process. The Meta spokesperson mentions that the company tried to act on all issues related to the plaintext storage of passwords quickly. In fact, the company has taken further measures since then towards bolstering its security protocols regarding data.
It also raises broader questions about how companies like Meta can avoid similar happenings in the future. Though there was no known breach or misuse of user information this time, reviewing and updating security best practices continually is a safety precaution against problems emerging from vulnerabilities. For giant corporations dealing with massive amounts of sensitive users’ data, a slight oversight such as failing to encrypt passwords can have significant effects.
This is yet another reminder for Meta to ensure that the highest standards are maintained when it comes to data protection. Meta is one of the world’s largest social media companies, accessing billions of users’ personal data; thus, making it a particularly sensitive and important task to ensure its security to be out of tune with its business. At the same time, while the company has made tremendous strides in its privacy and security practices in the years gone by, incidents like the plaintext password issue make it clear that more work remains.
What is equally interesting about this case is that yet again, it shows the critical role regulatory bodies such as the Irish DPC can play in holding companies accountable. Seriously, a breach of this kind may attract fines that are upto 4% global revenue. Therefore, the fine imposed by DPC of 91 million euros is rather serious but not maximum. DPC’s verdict sends out an open message to tech companies across the globe who operate within the European Union: Data protection is not to be joked with, and a slip shall not be tolerated.
The coming years will likely see many similar cases as regulators steadily increase the heat on enforcing privacy laws. The technology industry will not go unscathed, and neither will be the expectations around how that data is protected based on growing personal data used and stored by companies. For Meta and for every business, that would mean continuing to evolve its security practices, working forward of potential vulnerabilities, and ensuring that they stay under the strictest global privacy standards in place.
Conclusion
The fine handed down by the Irish DPC of Meta is a harsh reminder of the critical importance of the security of data in today’s digital landscape. While Meta quickly rectified the situation, the fact that plaintext passwords were stored at all speaks to the great failure on its part in terms of data protection practice. Companies will have to be more on their toes than ever to protect user data as regulators continue cracking down on violations of privacy, and it might end up facing similar penalties otherwise.