Source URL: https://www.engadget.com/big-tech/meta-fined-102-million-for-storing-passwords-in-plain-text-110049679.html
Source: Hacker News
Title: Meta fined $102M for storing passwords in plain text
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The Irish Data Protection Commission has imposed a significant fine on Meta for failing to secure user passwords, which were found stored in plaintext during a 2019 breach. This incident underscores critical compliance failures related to GDPR regulations, particularly regarding data security and breach notification.
Detailed Description: The recent action taken by the Irish Data Protection Commission (DPC) against Meta highlights essential considerations in security and compliance, particularly concerning data protection regulations like the General Data Protection Regulation (GDPR). The focus on the mishandling of user passwords serves as a stark reminder of the vulnerabilities that can arise from inadequate security practices.
– **Incident Overview**:
– Meta was fined $101.5 million (€91 million) following a DPC investigation into a 2019 security breach.
– User passwords, potentially impacting up to 600 million accounts, were improperly stored in plaintext, making them easily accessible.
– **Regulatory Violations**:
– The DPC found Meta in violation of several GDPR mandates, including:
– Failing to notify the DPC of the breach without undue delay.
– Not documenting the personal data breaches concerning the storage of passwords in plaintext.
– Lacking appropriate technical measures to secure the passwords against unauthorized access.
– **Risks of Plaintext Storage**:
– Storing passwords in plaintext poses an elevated risk of abuse, especially since it allows access to sensitive social media accounts.
– The DPC emphasized that such practices contradict widely accepted security standards.
– **Further Implications**:
– The DPC issued a reprimand alongside the fine, indicating additional scrutiny may follow, pending the release of a more detailed final decision from the commission.
This case is critical for security professionals and compliance officers as it underscores the significant penalties associated with non-compliance. It stresses the importance of employing robust security measures, adhering to regulations, and the necessity of timely breach notifications to relevant authorities. These lessons are vital in the context of increasing regulatory landscapes and growing public concerns regarding data privacy and security.