(GDPR )Did You know that , according to the Data Protection Commission, Meta exposed the data of millions of Facebook users by breaking multiple GDPR regulations.
In addition to failing to put in place the proper organisational and technical security measures to guard user data against illegal access, DPC Ireland claimed that Meta also neglected to manage security risks associated with the kind of data it processed, including how that data was being stored in its database servers.
In their decision, the regulators also pointed out that Meta had neglected to record and alert the relevant authorities “in a timely manner” to the disclosure of its users’ plaintext passwords as part of a personal data dump.
KrebsOnSecurity On Meta
Facebook is looking into a number of security breaches where workers created apps that recorded users’ password information in clear text on company servers and logged it without encryption. According to a senior Facebook employee who was not authorised to speak to the media and who is acquainted with the inquiry, that is what they believe.
According to the Facebook insider, over 20,000 Facebook employees may have had access to the account credentials of 200 million to 600 million Facebook users, which were stored in plain text and searchable.
In this situation what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this. We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”
The Irish watchdog fined Meta €390 million in January 2023 for violating user privacy. The fine was associated with Meta’s use of user data for targeted advertising, which was determined to be illegal under GDPR laws.
What is the GDPR ?
The world’s strictest privacy and security legislation is called the General Data Protection Regulation (GDPR). Despite having been draughted and approved by the EU, it imposes duties on organisations worldwide, provided that they target or gather data relating to individuals within the EU. The rule becomes operative on May 25, 2018. If someone violates the GDPR’s security and privacy requirements, they might face fines of up to tens of millions of euros.
Data protection principles
- Fairness, awfulness, and transparency: The processing must be fair, legal, and transparent to the person whose data it is processed.
- Limitation on purpose: You may only handle data for the justifiable uses that were made clear to the data subject at the time of collection.
- Data minimisation: Only gather and handle the minimal amount of information required to fulfil the stated goals.
- Accuracy: It is important to have current and correct personal data.
- Storage restriction: Personal identification information may only be kept for as long as it is required to fulfil the stated purpose.
- Integrity and secrecy: Processing must be carried out in a fashion that guarantees the necessary levels of security, integrity, and secrecy (e.g., by utilising encryption).
- Accountability: The data controller must be able to provide proof of compliance with each of these GDPR standards.
In November 2022, Facebook, owned by Meta, was fined €265 million for a data scraping incident that occurred three years prior and revealed hundreds of millions of user records.
Furthermore, Meta has already received one other financial penalty from the DPC for failing to comply with the EU’s GDPR. Since the GDPR went into effect in 2018, Meta has already been fined more than €2.5 billion, making it one among the top GDPR violators in the EU.