The Data Protection Commission (DPC) in Ireland has imposed a fine of €91m ($102m) on Meta Platforms Ireland Limited (MPIL) for mishandling social media users’ passwords and violating GDPR regulations. The investigation was initiated in April 2019 after MPIL informed the DPC that they had stored certain passwords in ‘plaintext’ on their internal systems, which lacks cryptographic protection or encryption.
Deputy Commissioner at the DPC, Graham Doyle, emphasized that storing user passwords in plaintext poses significant risks of abuse, especially considering that these passwords could provide access to users’ social media accounts. The DPC found that MPIL had failed to implement appropriate security measures to protect the confidentiality and integrity of user passwords.
A spokesperson for Meta stated that a security review in 2019 revealed that a subset of Facebook users’ passwords had been temporarily logged in a readable format within their internal data systems. Meta took immediate action to rectify the error and reported the incident to the Irish Data Protection Commission. However, it remains uncertain whether Meta will challenge the imposed fine.
Brian Honan, CEO of BH Consulting, highlighted the importance of organizations implementing robust security controls to safeguard personal data. He pointed out that while Meta claims that the passwords were not accessed improperly, the lack of adequate security measures is still a cause for concern. Had the passwords been compromised, the repercussions would have been much more severe.
The DPC submitted a draft decision to the Concerned Supervisory Authorities across the EU/EEA in June 2024, in accordance with GDPR regulations. No objections were raised to the draft decision, and the notification of the fine was issued on September 26. The DPC determined that MPIL had failed to notify them of a personal data breach regarding the storage of user passwords in plaintext.
Furthermore, MPIL was found to have neglected to implement suitable technical and organizational measures to ensure the security of user passwords against unauthorized processing. The DPC concluded that Meta’s actions breached GDPR principles related to integrity and confidentiality. GDPR mandates data controllers to establish appropriate security measures to protect personal data, considering potential risks and the nature of data processing.
In light of this decision, the DPC underlined the importance of organizations implementing adequate security measures when handling user passwords. This case serves as a reminder for companies to prioritize data security and promptly report any breaches to the relevant regulatory authorities to prevent data privacy violations. The substantial fine imposed on Meta by the DPC sends a clear message that organizations must prioritize data protection and implement robust security measures to safeguard user information.