Source URL: https://therecord.media/meta-unprotected-passwords-fine-gdpr
Source: Hacker News
Title: Meta fined $101M for storing passwords in plaintext
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: Meta has been fined €91 million for storing users’ passwords in plaintext, violating GDPR. This incident highlights significant lapses in data protection measures and the importance of appropriate technical safeguards.
Detailed Description:
The recent fine levied against Meta emphasizes the critical need for adherence to data protection regulations and the necessity of robust security practices, particularly concerning sensitive user information such as passwords. The incident serves as a cautionary tale for organizations regarding the implications of mishandling personal data.
– **Incident Overview**:
– Meta was fined €91 million ($101 million) by the Irish Data Protection Commission (DPC) for storing hundreds of millions of user passwords in plaintext.
– This violation was uncovered during an internal review and has been under investigation since 2019.
– **Regulatory Findings**:
– The DPC concluded that Meta breached legal obligations under the EU’s General Data Protection Regulations (GDPR).
– Key breaches included failing to notify the DPC of personal data breaches and lacking technical measures to safeguard user passwords.
– **Technical Concerns**:
– Typically, organizations protect passwords using cryptographic techniques, such as hashing and salting, to prevent exposure in the event of data breaches.
– The DPC highlighted the risks associated with storing passwords in plaintext and noted that the exposed passwords could allow unauthorized access to users’ accounts.
– **Broader Implications**:
– This incident underscores the essential nature of implementing industry-standard technical controls to secure personal data.
– Organizations must ensure compliance with regulations like GDPR to avoid severe penalties and protect user information.
– **Conclusion**:
– The scrutiny faced by Meta reflects a wider trend where organizations are being held accountable for inadequate data protection measures. It serves as a reminder for professionals in security, compliance, and governance to prioritize encryption and secure data storage as part of their operational protocols.