Meta fined 1015M for 2019 breach that exposed hundreds of millions of Facebook passwords

pn n n concatei18ntsearchvoicerecognitionretryn ppReset your clocks Meta has been hit with yet another privacy penalty in Europe On Friday Irelands Data Protection Commission DPC announced a reprimand and a 91 million fine around 1015 million at current exchange rates after concluding a multiyear investigation into a 2019 security breach by Facebooks parent companyppThe DPC opened a statutory inquiry into the incident in question in April 2019 under the blocs General Data Protection Regulation GDPR after Meta or Facebook as the company was still called back then notified it that hundreds of millions of users passwords had been stored in plaintext on its serversppThe security incident is a legal issue in the European Union because the GDPR requires that personal data is appropriately securedppAfter investigating the DPC has concluded that Meta failed to meet the blocs legal standard since the passwords were not protected with encryption It created a risk as third parties could potentially access peoples sensitive information stored in their social media accountsppThe regulator which leads on oversight of Metas GDPR compliance also found Meta broke the rules by failing to notify it of the breach within the required time frame the regulation generally stipulates breach reporting should take place no later than 72 hours after becoming aware of it Meta also failed to properly document the breach per the DPCppCommenting in a statement deputy commissioner Graham Doyle wrote It is widely accepted that user passwords should not be stored in plaintext considering the risks of abuse that arise from persons accessing such data It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive as they would enable access to users social media accountsppReached for a response to its latest GDPR sanction Meta spokesperson Matthew Pollard emailed a statement in which the company sought to play down the finding by claiming it took immediate action over what had been an error in its password management processesppAs part of a security review in 2019 we found that a subset of FB Facebook users passwords were temporarily logged in a readable format within our internal data systems We took immediate action to fix this error and there is no evidence that these passwords were abused or accessed improperly Meta wrote We proactively flagged this issue to our lead regulator the Irish Data Protection Commission and have engaged constructively with them throughout this inquiryppMeta had already racked up a majority of the largest GDPR penalties handed out to tech giants so the latest sanction merely underscores the scale of its problems with privacy complianceppThe penalty is notably stiffer than a 17 million fine the DPC handed to Meta in March 2022 over a 2018 security breach The Irish regulator has had a change of senior management since then However the two incidents are also different Metas earlier security lapses affected up to 30 million Facebook users compared to the hundreds of millions whose passwords were said to have been exposed as a result of its failure to secure passwords in 2019ppThe GDPR empowers data protection authorities to issue fines for breaches where the amount of any penalty is calculated based on factors such as the nature gravity and duration of the infringement the scope or purpose of the processing and the number of data subjects affected and level of damage suffered among other considerationsppThe highest possible penalty under the GDPR is 4 of global annual turnover So in Metas case a 91 million fine may sound like a significant chunk of change but it remains a tiny fraction of the billions the company could theoretically face given its annual revenue for 2023 was a staggering 13490 billionppSign in to access your portfoliop