HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Meta hit with €91 million fine for lax password safety

Written by Farah Amod | Oct 9, 2024 2:03:35 PM

The General Data Protection Regulation (GDPR) has given a hefty €91 million fine to Meta, the parent company of social media giants Facebook and Instagram. The penalty is the result of Meta's failure to adhere to the EU's stringent data protection regulations, particularly when it comes to the handling of user passwords.

 

What happened

The GDPR's investigation revealed that Meta had been storing user passwords in an unencrypted format, leaving them vulnerable to potential breaches and unauthorized access. The disregard for data security protocols was a violation of the EU's General Data Protection Regulation (GDPR), which mandates that companies take measures to safeguard the personal information of their users.

 

Going deeper

The GDPR's ruling indicated that Meta's password management practices were inadequate, putting the privacy and security of millions of users at risk. Failure to implement industry-standard encryption techniques left the door wide open for cybercriminals to gain access to account details, compromising the trust users had placed in the company.

 

What was said

Graham Doyle, Deputy Commissioner of the Irish Data Protection Commission, stated thatit is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be born in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

 

In the know

This isn't Meta's first GDPR fine. In 2023, the company faced a €1.2 billion penalty from the Irish regulator for continuing to transfer personal data of users from the European Economic Area to the United States, following the invalidation of an EU-to-US data transfer agreement by the EU’s highest court due to concerns over surveillance. Additionally, in 2022, Meta was fined €265 million after the personal data of over 533 million users was discovered online.

 

FAQs

How can one tell if a password is weak or commonly used?

Covered entities and business associates can employ a password manager equipped with Health Check features that conduct comparable scans while notifying users about any vulnerable, reused, or compromised passwords. 

 

How safe is a 12-character password?

A 12-character password is highly safe because it is nearly impossible to guess for a person and is considered the best safeguard against threat actors. Combining lowercase letters, uppercase letters, numbers, and symbols will make it much better for you. 

 

Does NIST require password expiration?

No. NIST recommends resetting passwords only when necessary. While many organizations traditionally enforce a NIST password policy where passwords expire every 60 to 90 days, NIST diverges from this approach. NIST does not recommend password expiration as a general practice.