Article Details

Ireland fines Meta €91 million for storing passwords in plaintext. The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users. The incident occurred in 2019. At the time, Meta disclosed it publicly and notified DPC, which initiated an investigation into the tech giant's practices for storing sensitive user data. "In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in 'plaintext' on its internal systems (i.e. without cryptographic protection or encryption)," reads DPC's announcement. In the 2019 disclosure, Meta said that it had found "some user passwords" stored on its systems in a readable format during a routine security review at the beginning of the year. Although the company did not say how many users were impacted, it estimated that it would notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users" and millions of Instagram users. It is worth noting that the passwords were not available to external parties and the review found no evidence of abuse or improper access. Storing user account passwords without proper protections, such as encryption and access control constitutes a violation of multiple General Data Protection Regulation (GDPR) articles relating to measures data controllers implement to guarantee the security of people's data: For the above violations, and taking into consideration that Meta informed the Irish data protection authority voluntarily DPC imposes an official reprimand and an administrative fine of €91 Million. The DPC will publish at a later date its complete decision and information related to the incident, the agency said.