The Irish Data Protection Commission (DPC) has fined Meta $101.5 million for storing 600 million Facebook and Instagram user passwords on its internal systems without a firewall.
Meta was fined $101.5 million after it was revealed that 600 million Facebook and Instagram passwords were stored on its internal systems without a firewall.
Some of these passwords had not been protected since 2012 and could be searched by more than 20,000 Meta employees.
The security breach was discovered in 2019, but has reportedly been around for 7 years, Engadget reported.
While Meta did not say how many accounts were affected, a senior employee told Krebs on Security that the incident involved 600 million passwords.
Some of the passwords had been stored in an easily readable format on the company’s servers since 2012.
Not only did Meta break the law by failing to protect the passwords in the first place, it also failed to comply with its legal obligation to report the matter to the regulator immediately upon discovery.
The Irish Data Protection Commission (DPC) found that Meta violated several General Data Protection Regulation (GDPR) rules related to the breach.
The Commission found that the company failed to notify the DPC without undue delay of a personal data breach related to the storage of user passwords in plain text and failed to document personal data breaches related to the storage of user passwords in plain text.
It also said Meta breached the GDPR by failing to use appropriate technical measures to secure users’ passwords against unauthorized processing.