The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of an investigation into a safety lapse in March 2019, when the company announced that it had mistakenly stored users' passwords in plaintext in its systems. The study, launched by the DPC the next month, discovered that the social media giant violated four other reports under the European Union's General Data Protection Regulation (GDPR).
To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data violations regarding the storage of user passwords in plaintext, and use appropriate technical standards to guarantee the confidentiality of users' passwords. Meta originally disclosed that the privacy offense led to the vulnerability of a subset of users' Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or manipulated internally.
According to Krebs on Security, some of these passwords date back to 2012, with a senior employee saying "some 2,000 engineers or designers made about nine million interior questions for data segments that included plaintext user passwords." A month later, the organization realized that millions of Instagram passwords were also stored similarly and that it was informing affected users.
"It is widely acknowledged that user passwords should not be stored in plaintext, considering the threats of abuse that occur from persons accessing such data," Graham Doyle, deputy commissioner at the DPC, said in a press announcement. "It must be held in the sense that the passwords, the subject of reference in this case, are extremely sensitive, as they would enable access to users' social media accounts." In a news shared with the Associated Press, Meta said it took "quick action" to resolve the error, and that it "proactively flagged this issue" to the DPC.