Following an inquiry into Meta Platforms Ireland Limited (MPIL), the Data Protection Commission (DPC) in Ireland has fined the firm €91m ($102m) for mishandling social media users’ passwords and GDPR infringement.
The DPC launched the initial inquiry in April 2019 after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).
Deputy Commissioner at the DPC, Graham Doyle commented: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”
Doyle also noted that that the passwords the subject of consideration in this case are particularly sensitive as they would enable access to users’ social media accounts.
In a statement sent to Infosecurity, a Meta spokesperson said: "As part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
As of today it is unclear whether Meta will dispute the fine.
In 2019, Facebook issued a statement saying it had fixed the issues and as a precaution would notify everyone whose passwords it found to be stored in plaintext.
Meta's also said the passwords were never visible to anyone outside of Facebook and no evidence suggested that anyone internally abused or improperly accessed them.
“Meta claims the passwords were not accessed but that does not negate the poor security controls in place. Had those passwords been breached then I am sure the fine would be of a much higher value,” commented Brian Honan, CEO of BH Consulting and former special advisor on cybersecurity to Europol.
Honan added, “The fine is a clear message to organizations that they need to ensure appropriate security measure and controls are in place to protect the personal data of data subjects and that they have appropriate processes in place to detect and report breaches to the appropriate regulator in a timely manner.”
Meta Accused of Breaching GDPR
The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities.
Notification of the fine was issued on September 26.
A statement by the DPC said that Meta filed to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext.
It also said MPIL did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing.
Finally, Meta also breached GDPR because it did not implement appropriate measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
The DPC said that the decision concerns the GDPR principles of integrity and confidentiality.
GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing.
In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks.
This decision emphasizes the need to take such measures when storing user passwords, the DPC said.