Meta fined €91m for storing user passwords in plaintext

Meta violated several provisions under the GDPR, according to Irish DPC

Image:
Meta fined €91 million for storing user passwords in plaintext

Meta Platforms has been slapped with a hefty €91 million (nearly $106 million) fine by the Irish Data Protection Commission (DPC) for storing millions of users' passwords in plaintext.

The penalty is part of a broader crackdown by the EU for non-compliance with the General Data Protection Regulation (GDPR).

The incident occurred in 2019, when Meta discovered during a routine security review that "some user passwords" were stored in a readable format on its internal systems, without encryption or cryptographic protection.

The company notified the DPC of the issue, which led to an in-depth investigation.

Meta said no passwords were exposed to external parties, adding that it found no evidence of abuse or improper access to the stored data. However, the DPC determined that storing user passwords without encryption constituted a violation of several provisions under the GDPR.

Meta breached GDPR articles related to notification of data breaches, documentation of breaches, data integrity and confidentiality and security of processing, DPC stated.

While Meta did not disclose the exact number of users affected, it is estimated that millions of users of Facebook, Facebook Lite and Instagram were potentially impacted.

In response to GDPR violations, the DPC has imposed a €91 million fine on Meta, alongside an official reprimand. The fine takes into account Meta's voluntary disclosure of the breach to the Irish authorities.

The agency said that data controllers must ensure that robust security measures are implemented to protect sensitive user information.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Deputy Commissioner at the DPC, Graham Doyle said.

"It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

The DPC has yet to release its full report on the matter, but it is expected to provide additional details about the breach and Meta's handling of the situation in the coming months.

A Meta spokesperson said the password storage issue was an "error" that was promptly addressed.

"We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry," Meta said.

The latest fine by the Irish authorities adds to a growing list of penalties imposed on Meta for GDPR violations.

In May last year, the DPC fined Meta €1.2 billion for violating rules on transferring user data outside the EU.

Earlier that year, the company was also fined €405 million for failing to have a valid legal basis to process user data for ad targeting.

WhatsApp, a Meta-owned messaging app, was fined €5.5 million in 2023, for forcing users to share their personal data. In addition to the penalties, the Meta-owned platform was ordered to bring its data processing operations into conformity within next six months.