Meta Fined $101.5M for 2019 Breach that Exposed
Introduction Of Meta
Meta, the parent company of Facebook, has once again found itself facing a significant privacy penalty in Europe. On Friday, Irelandβs Data Protection Commission (DPC) announced a β¬91 million fine, equivalent to $101.5 million, as a result of a multi-year investigation into a 2019 security breach that exposed hundreds of millions of Facebook users’ passwords. This latest sanction marks another chapter in Meta’s ongoing struggles with privacy compliance under the European Unionβs General Data Protection Regulation (GDPR).
Table of Contents
Background of the 2019 Breach
In April 2019, It (still known as Facebook at the time) disclosed that user passwords had been stored in plaintext on its servers, exposing a significant vulnerability in its data management practices. Plaintext passwords are unprotected, meaning they were not encrypted, thus making them vulnerable to unauthorized access. The company notified the DPC, which promptly launched an investigation under the GDPR to assess whether Meta had violated EU regulations governing data security.
GDPR requires companies handling personal data within the EU to ensure that the data is appropriately secured, particularly when it comes to sensitive information like passwords. Failure to meet these standards can lead to hefty fines, as Meta has learned once again.
DPCβs Findings and Ruling
Following its investigation, the DPC concluded that It had indeed violated the GDPR. The regulator found that storing passwords in plaintext presented a serious security risk and failed to meet the GDPRβs requirement for strong data protection. The lack of encryption meant that third parties could potentially gain access to users’ social media accounts, posing a significant risk to their personal privacy and security.
The DPC also found that It had failed to report the breach within the required timeframe of 72 hours after becoming aware of the incident. Moreover, the company did not properly document the breach, further compounding its non-compliance with the GDPR.
Deputy commissioner Graham Doyle emphasized the gravity of the situation, stating, βIt is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.β He further highlighted that passwords are particularly sensitive as they grant access to users’ social media accounts, amplifying the seriousness of Metaβs failure to protect them.
Metaβs Response
Meta was quick to respond to the ruling, attempting to downplay the situation. In an official statement, the company referred to the breach as an βerrorβ in its password management processes. Metaβs spokesperson, Matthew Pollard, noted that the company took “immediate action” to address the issue after discovering it during a security review in 2019. According to the statement, the exposed passwords were only temporarily stored in plaintext within internal data systems, and there was no evidence that the passwords were abused or accessed improperly.
Meta also highlighted that it proactively notified the DPC about the issue and cooperated fully with the investigation. However, despite these efforts, the regulator’s findings made it clear that Metaβs actions fell short of GDPR standards.
Privacy Compliance Challenges Continue
This latest β¬91 million fine is not the first time Meta has faced penalties under the GDPR. In March 2022, the DPC issued a β¬17 million fine for a separate 2018 security breach. However, the scale of the 2019 breach β which exposed hundreds of millions of passwords, as compared to the 30 million users affected by the 2018 incident β resulted in a much larger penalty this time around.
While the β¬91 million fine may seem substantial, it is only a small fraction of the potential fines the GDPR allows for. The regulation enables authorities to impose penalties of up to 4% of a companyβs global annual revenue for the most serious violations. Given that Metaβs annual revenue in 2023 was $134.90 billion, the fine represents just a sliver of what the company could theoretically face under the GDPR.
Conclusion
The β¬91 million fine against Meta serves as a stark reminder that even the biggest tech giants are not immune to the consequences of lax privacy and security practices. As Meta continues to grapple with data protection issues, this latest penalty underscores the importance of adhering to strict regulatory standards to safeguard user data. For Meta, a company already under intense scrutiny, the fine highlights the ongoing challenge of maintaining privacy compliance in the face of complex global operations.
Europeβs regulatory environment remains one of the toughest in the world for tech companies, and this latest sanction from the DPC reinforces the EUβs commitment to holding companies accountable for data breaches. As privacy becomes an increasingly central issue in the digital age, organizations must prioritize robust security measures or risk facing significant financial and reputational damage.