Meta, the parent company of Facebook, has been fined €91 million for a significant security breach related to the improper storage of user passwords. The Irish Data Protection Commission (DPC), responsible for overseeing compliance with privacy laws in Europe, was the entity responsible for imposing this penalty on the tech giant Meta.
The reason for the fine against Meta lies in the inadvertent storage of certain Facebook users' passwords in "plain text" format within Meta's internal systems, meaning that these passwords were not protected by any cryptographic measures or encryption. This error by Meta potentially exposed sensitive information for millions of users, although the DPC clarified that “these passwords were not made available to third parties.”
This fine is just one of the many penalties Meta has faced under the General Data Protection Regulation (GDPR) of the European Union, highlighting the magnitude of the challenges surrounding privacy and data protection that the company faces.
In this ITD Consulting article, we will explore in depth the reasons behind the fine, the consequences of the incident, Meta's response, and how this event fits into the broader context of the company’s ongoing efforts to comply with privacy regulations.
Why was Meta fined?
The fine imposed on Meta, amounting to €91 million, was the result of a breach related to the insecure storage of user passwords within its internal systems. It all started in March 2019 when Meta Platforms Ireland Limited (MPIL), the entity managing Facebook's operations in Europe, notified the Irish Data Protection Commission (DPC) that it had inadvertently stored certain users' passwords in "plain text."
In simple terms, this means that Meta's passwords were not protected by any encryption or cryptographic security mechanisms, leaving them exposed to potential security risks.
Although Meta assured that the passwords were not accessible to third parties nor misused, the severity of the situation did not go unnoticed by the regulatory authorities. In April 2019, the DPC launched a thorough investigation to determine whether MPIL had complied with the GDPR regarding the protection of passwords and the implementation of appropriate security measures within Meta.
One of the main concerns was to assess whether Meta had taken the necessary steps to protect passwords according to the inherent risks involved in processing sensitive data.
The DPC also examined whether Meta had complied with its obligation to correctly notify any personal data breaches, as required by the GDPR, which stipulates that companies must report any security incident within 72 hours of detecting the breach.
Despite the fact that Meta’s passwords were not made available to third parties, the lack of encryption or any form of adequate protection constitutes a serious breach under the GDPR. This regulation clearly states that companies must implement robust security measures to mitigate risks associated with processing personal data.
As a result, the €91 million fine imposed on Meta reflects the importance of ensuring an adequate level of security at all times and meeting notification obligations when a data security incident occurs.
The GDPR and its application in Meta’s case
The General Data Protection Regulation (GDPR) is a landmark piece of legislation from the European Union that seeks to ensure the protection of personal data for European citizens. This regulation imposes strict requirements on companies handling personal data, demanding that they implement adequate measures to protect user information from unauthorized access and potential misuse.
In Meta's case, the DPC determined that the company failed to meet the principles of "integrity and confidentiality" set out in the GDPR. In particular, Article 32 of the GDPR requires companies to adopt appropriate technical and organizational security measures to ensure a level of security commensurate with the risk of processing personal data.
The fact that Meta stored passwords in plain text without encryption was a clear violation of these principles, as this practice unnecessarily exposed sensitive information of millions of users.
It is important to note that the GDPR also establishes requirements for the notification of security incidents. According to the regulation, companies must inform regulatory authorities within 72 hours of identifying a security breach affecting personal data. Although Meta did notify the DPC about the incident, the investigation revealed that it did not do so within the required timeframe, which constituted an additional breach of the regulation.
In summary, the €91 million fine reflects the severity of the security breaches and the lack of adequate measures by Meta to protect user passwords.
This sanction against Meta highlights the importance of strict GDPR compliance to ensure the security and privacy of personal data in an increasingly digital world.
The DPC’s investigation: What did it reveal?
The investigation conducted by the Irish Data Protection Commission following Meta's notification in 2019 revealed several concerning aspects in the company’s security management.
According to reports, "hundreds of millions" of user passwords were stored in plain text on Meta's servers, which posed a considerable risk to the privacy of users' data.
The main issue identified by the DPC was the lack of encryption in the storage of passwords. Encryption is an essential technique to protect sensitive data, as it transforms information into an unreadable format for anyone without the decryption key.
By not using any form of encryption, Meta jeopardized the integrity and confidentiality of the data, as, in theory, anyone with unauthorized access to the company’s servers could have accessed the stored passwords.
Additionally, the investigation also revealed failures in the documentation and notification of the incident. The GDPR stipulates that companies must not only report any security breach within 72 hours, but also adequately document the nature of the incident and the corrective actions taken. In this case, Meta did not meet these requirements, which further aggravated the situation.
The DPC emphasized that security breaches of this nature are especially severe when they involve passwords, as these credentials provide access to users' personal accounts on social media, where even more sensitive information is stored.
As Graham Doyle, Deputy Commissioner of the DPC, pointed out, "It is widely accepted that user passwords should not be stored in plain text, considering the risks of abuse that arise when unauthorized persons gain access to such data."
Meta's response to the fine
After the €91 million fine was imposed, Meta issued a statement in which it downplayed the seriousness of the incident, referring to it as an "error" in its password management processes. According to a company spokesperson, Meta took "immediate action" to correct the problem once it was detected during a 2019 security review.
In its statement, Meta assured that the issue only affected a "subset" of Facebook users and that there was no evidence that the passwords had been misused or accessed without authorization. Meta also stated that it proactively notified the DPC about the problem and cooperated with regulatory authorities throughout the investigation.
However, despite Meta’s efforts to minimize the incident, the fine reflects the gravity of the situation and the potential risks involved in storing passwords in plain text.
Although there was no evidence that Meta's passwords had been misused, the fact that they were stored without adequate protection for a considerable period of time exposed millions of users to unnecessary risks.
The Impact of the Fine on Meta and the Tech Industry
The fine imposed on Meta is just one of many the company has faced in recent years related to privacy and data security violations. Under the GDPR, EU data protection authorities have the power to impose significant fines on companies that fail to comply with data protection regulations.
In Meta's case, the €91 million fine represents a relatively small fraction of its annual revenue, which in 2023 amounted to $134.9 billion.
However, the fine sends a clear message to Meta and other tech companies about the importance of complying with privacy regulations. Regulatory authorities are increasingly committed to enforcing data protection laws, and companies that fail to take data security seriously will face substantial penalties.
This incident with Meta also underscores the growing importance of cybersecurity and data protection in an increasingly complex digital environment.
In addition to the monetary penalties, the fine also affects Meta's reputation, a company that has been under constant scrutiny due to its privacy practices. Users are increasingly concerned about how their personal information is managed, and tech companies are under pressure to prove they can protect sensitive data effectively. Incidents like storing passwords in plain text erode user trust and reinforce the perception that big tech companies prioritize growth and revenue over user privacy.
The Role of the DPC and GDPR Enforcement
The Irish Data Protection Commission (DPC) has been at the center of many high-profile data privacy investigations, as many tech companies, including Meta, Google, and Apple, have their European headquarters in Ireland.
This places the DPC in a crucial position to enforce the GDPR across Europe and ensure these large corporations comply with strict data protection regulations.
The DPC has faced criticism in the past for not imposing sufficiently strong penalties or acting quickly enough. However, the fine imposed on Meta shows that the DPC is ramping up its efforts to ensure GDPR compliance and will not hesitate to impose significant penalties when necessary.
This action against Meta is a sign that companies operating in Europe must take their responsibilities under the GDPR seriously and implement the necessary security measures to protect user data.
Since the implementation of the GDPR in 2018, fines imposed on companies violating the regulation have steadily increased. Meta's case, along with other high-profile incidents such as the fines imposed on Google for similar violations, demonstrates that the GDPR is an effective tool for holding tech companies accountable for their privacy and security practices.
Lessons Learned and the Road Ahead
The incident that led to Meta's €91 million fine offers several important lessons for both the company and the tech industry as a whole. First and foremost, it highlights the need to implement appropriate security measures to protect users' sensitive information.
Storing passwords in plain text is a fundamental security mistake that could have been easily avoided with standard security practices, such as using hash algorithms to encrypt passwords.
Secondly, the incident underscores the importance of meeting the notification deadlines set out in the GDPR. Meta failed not only to adequately protect users' passwords but also to fulfill its obligation to notify authorities in a timely manner about the security breach.
Companies must have clear, well-defined procedures for identifying and responding to security incidents quickly to minimize damage and comply with regulatory requirements.
Finally, the fine reinforces the importance of transparency and accountability in handling personal data. Companies must be proactive in addressing privacy and security issues and be willing to take responsibility when they make mistakes.
Users trust that companies will protect their personal information, and any failure to do so can have serious consequences not only in terms of financial penalties but also in consumer trust.
What Should Companies Do to Avoid Similar Penalties?
Meta's case serves as a clear reminder for all companies handling personal data about the importance of implementing robust security measures and complying with privacy regulations. Below are key recommendations to avoid penalties similar to Meta's:
1. Implement Robust Encryption
Passwords and other sensitive data should be encrypted using strong algorithms that transform the information into an unreadable format without the decryption key. This ensures that even if the data is compromised, it cannot be used by malicious actors.
2. Conduct Regular Security Audits
Companies should regularly review their security systems to identify potential vulnerabilities and correct them before they become major issues. Security audits can also help ensure that best practices in data protection are being followed.
3. Train Staff in Cybersecurity
Employees are a crucial line of defense against security threats. Companies should provide regular cybersecurity training, so employees understand the risks and know how to respond appropriately to security incidents.
4. Develop an Incident Response Plan
Companies should have a clear plan for responding to security incidents, including procedures for identifying and mitigating damage, as well as notifying authorities and affected users within the timelines set by the GDPR.
5. Comply with GDPR Notification Requirements
If a security breach occurs that affects personal data, companies must notify data protection authorities within 72 hours. This notification should include a detailed description of the incident, measures taken to mitigate the impact, and any corrective actions implemented.
6. Foster a Culture of Privacy and Security
Companies should adopt a "privacy by design" mentality, where the protection of user data is a priority in all aspects of their operations. This includes integrating security practices from the outset in the development of products and services.
7. Continuous Monitoring of Systems
Constant monitoring of security systems is essential to detect threats in real-time and respond to them before they cause significant harm. Companies should use advanced monitoring and analytics tools to identify suspicious activities and potential security breaches.
8. Collaborate with Regulatory Authorities
In the event of a security breach, companies should fully cooperate with regulatory authorities to resolve the issue efficiently. Transparency and collaboration can help mitigate consequences and demonstrate the company’s commitment to data protection.
The €91 million fine imposed on Meta for the security breach related to the improper storage of passwords highlights the risks that companies face when they fail to adopt proper measures to protect user information.
The GDPR is a powerful tool that allows regulatory authorities like the DPC to hold companies accountable for their failures in data protection, and this case serves as a reminder to all organizations about the importance of complying with privacy regulations.
As technology continues to advance and companies manage ever-increasing volumes of personal data, cybersecurity and privacy will remain key areas of focus.
Organizations must be willing to invest in robust security measures, adopt a proactive approach to risk management, and ensure transparency in handling user data. Only in this way can they avoid significant penalties and maintain user trust in an ever-evolving digital environment.
If you'd like to learn more about cybersecurity measures to prevent incidents like the one involving Meta and avoid hefty fines, reach out to us at [email protected]. We have a dedicated team to provide you with the best cybersecurity solutions.
EN 
ES