The Irish Data Protection Commissioner (DPC) has fined Meta Ireland €91m for improperly storing the passwords of certain social media users on its internal systems.
The DPC said Meta Ireland — which is a subsidiary of Facebook and Instagram-owner Meta Platforms — stored the passwords as “plaintext” in its internal systems, which meant they did not have any cryptographic protection or encryption protection.
This potentially allowed people in the company to see users’ passwords. The DPC said these passwords were not made available to parties outside of the company.
The inquiry into this matter was launched in April 2019 after Meta Ireland notified the DPC it had inadvertently stored certain passwords in this way.
Deputy commissioner at the DPC, Graham Doyle said it was “widely accepted” users passwords should not be stored in plaintext considering the risk of abuse that arises from “persons accessing such data”.
“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” Mr Doyle added.
Meta Ireland were notified of the fine on Thursday.
The DPC found Meta Ireland breached GDPR by failing to notify it of a personal data breach, failing to document personal data breaches concerning the storage of user passwords in plaintext, not using appropriate measures to secure users passwords, as well as not implementing appropriate measures to ensure a level of security appropriate to the risk.
The DPC said it submitted a draft decision to the other concerned supervisory authorities across the EU/EEA in June. No objections to the draft decision were raised by the other authorities.