If this control failure allowed malicious insiders to access private data, and misuse people’s personal accounts, then a data breach would have actually occurred. But I haven’t seen any suggestion that this happened, only references to the possibility that it might have happened. I’m really just thinking like somebody who believes that if the government is going to punish you for something, then I believe the event you’re being punished for should have actually occurred, and also that they should be able to prove it occurred.
If reference to standard security policies formed part of the basis of this decision (as the article states), then the harm that you’re trying to contrive into existence here also has no merit. There is no framework of information security that allows for a password to permanently retain its value as a secret keeping tool. Conventionally passwords have only retained their value for a set period of time, and even the most modern security standards for managing secrets requires you to rotate them at even the most remote possibility that they were exposed. The idea that a password rotation has harmed Facebook users, and the implication that their password was a valuable asset that they could reasonably expect to retain its value forever is quite ridiculous.
I could agree that this fine is bureaucratic Big Compliance enforcing its made-up standards. At the same time, it's hard for me to feel bad for Facebook.
If someone's violating internal auditing procedures, those same procedures won't catch them. It's dangerous because it's a violation of the procedure itself. Proving such violations without tools like no-knock warrants or the NSA moving in is nearly impossible.
So you end up with a misappropriated circus of Big Compliance issuing fines over no wrongdoing and internal audits finding no wrongdoing when you rarely hear about this type of internal abuse unless someone is careless enough to brag about it to their Tinder date.
If reference to standard security policies formed part of the basis of this decision (as the article states), then the harm that you’re trying to contrive into existence here also has no merit. There is no framework of information security that allows for a password to permanently retain its value as a secret keeping tool. Conventionally passwords have only retained their value for a set period of time, and even the most modern security standards for managing secrets requires you to rotate them at even the most remote possibility that they were exposed. The idea that a password rotation has harmed Facebook users, and the implication that their password was a valuable asset that they could reasonably expect to retain its value forever is quite ridiculous.