Facebook's parent company has been fined the equivalent of $100 million for storing user passwords in plain text. Failing to encrypt the passwords breached Europe's General Data Protection Regulation (GDPR).

Meta, which runs Facebook and Instagram, broke the rules despite there being no evidence that anyone accessed the passwords without authorization or that anyone was then able to access accounts.

Delay In Coming Clean

The company was found to have breached the GDPR on four counts. Two involved failing to adequately secure personal data, one involved not properly documenting these failures (which were classed as a personal data breach) and one involved not telling data regulators about the failure quickly enough.

Storing password databases in plain text is considered incredibly poor security practice even if its not an immediate risk in itself. That's because if somebody was able to access the database without authorization (either through an external hack or through unauthorized access within the company), they would not need to spend any time decrypting the passwords.

The fine of €91 million came from the Data Protection Commission in Ireland where Meta does much of its European data processing. It said that "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts." (Source: dataprotection.ie)

Drop in the Ocean

Whether the fine is excessive or will have enough of a deterrent is a matter of opinion and may depend on whether you take into account Meta's finances. Based on its most recent financial reports, it's the same amount in makes in profit in just 16 hours.

The same data regulator previously fined Meta more than a billion dollars for a previous breach of the GDPR. In that case, Meta had failed to follow rules for transferring data between Europe and the United States which are designed to make sure personal data is protected to the same standards in both places. (Source: bbc.co.uk)

What's Your Opinion

Is the fine appropriate? Does it make a difference that the passwords were for social media accounts? Should businesses have to follow data protection rules or should it be up to customers to "vote with their feet"?