Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Technology
dripping meta logo

Meta Fined $101.5M for 2019 Breach that Exposed

84 / 100

Introduction Of Meta

Meta, the parent company of Facebook, has once again found itself facing a significant privacy penalty in Europe. On Friday, Ireland’s Data Protection Commission (DPC) announced a €91 million fine, equivalent to $101.5 million, as a result of a multi-year investigation into a 2019 security breach that exposed hundreds of millions of Facebook users’ passwords. This latest sanction marks another chapter in Meta’s ongoing struggles with privacy compliance under the European Union’s General Data Protection Regulation (GDPR).

Meta

Background of the 2019 Breach

In April 2019, It (still known as Facebook at the time) disclosed that user passwords had been stored in plaintext on its servers, exposing a significant vulnerability in its data management practices. Plaintext passwords are unprotected, meaning they were not encrypted, thus making them vulnerable to unauthorized access. The company notified the DPC, which promptly launched an investigation under the GDPR to assess whether Meta had violated EU regulations governing data security.

GDPR requires companies handling personal data within the EU to ensure that the data is appropriately secured, particularly when it comes to sensitive information like passwords. Failure to meet these standards can lead to hefty fines, as Meta has learned once again.

DPC’s Findings and Ruling

Following its investigation, the DPC concluded that It had indeed violated the GDPR. The regulator found that storing passwords in plaintext presented a serious security risk and failed to meet the GDPR’s requirement for strong data protection. The lack of encryption meant that third parties could potentially gain access to users’ social media accounts, posing a significant risk to their personal privacy and security.

The DPC also found that It had failed to report the breach within the required timeframe of 72 hours after becoming aware of the incident. Moreover, the company did not properly document the breach, further compounding its non-compliance with the GDPR.

Deputy commissioner Graham Doyle emphasized the gravity of the situation, stating, β€œIt is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” He further highlighted that passwords are particularly sensitive as they grant access to users’ social media accounts, amplifying the seriousness of Meta’s failure to protect them.

Meta’s Response

Meta was quick to respond to the ruling, attempting to downplay the situation. In an official statement, the company referred to the breach as an β€œerror” in its password management processes. Meta’s spokesperson, Matthew Pollard, noted that the company took “immediate action” to address the issue after discovering it during a security review in 2019. According to the statement, the exposed passwords were only temporarily stored in plaintext within internal data systems, and there was no evidence that the passwords were abused or accessed improperly.

Meta also highlighted that it proactively notified the DPC about the issue and cooperated fully with the investigation. However, despite these efforts, the regulator’s findings made it clear that Meta’s actions fell short of GDPR standards.

Privacy Compliance Challenges Continue

This latest €91 million fine is not the first time Meta has faced penalties under the GDPR. In March 2022, the DPC issued a €17 million fine for a separate 2018 security breach. However, the scale of the 2019 breach β€” which exposed hundreds of millions of passwords, as compared to the 30 million users affected by the 2018 incident β€” resulted in a much larger penalty this time around.

While the €91 million fine may seem substantial, it is only a small fraction of the potential fines the GDPR allows for. The regulation enables authorities to impose penalties of up to 4% of a company’s global annual revenue for the most serious violations. Given that Meta’s annual revenue in 2023 was $134.90 billion, the fine represents just a sliver of what the company could theoretically face under the GDPR.

Conclusion

The €91 million fine against Meta serves as a stark reminder that even the biggest tech giants are not immune to the consequences of lax privacy and security practices. As Meta continues to grapple with data protection issues, this latest penalty underscores the importance of adhering to strict regulatory standards to safeguard user data. For Meta, a company already under intense scrutiny, the fine highlights the ongoing challenge of maintaining privacy compliance in the face of complex global operations.

Europe’s regulatory environment remains one of the toughest in the world for tech companies, and this latest sanction from the DPC reinforces the EU’s commitment to holding companies accountable for data breaches. As privacy becomes an increasingly central issue in the digital age, organizations must prioritize robust security measures or risk facing significant financial and reputational damage.

ALSO READ THIS BLOG

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.