Ireland’s Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million for storing passwords of hundreds of millions of users in plaintext.
The breach, which occurred in 2019, was publicly disclosed by Meta, prompting an investigation by the DPC into Meta’s handling of sensitive user data.
According to the DPC’s announcement, “In March 2019, MPIL notified the DPC that it had inadvertently stored certain social media user passwords in ‘plaintext’ on its internal systems, lacking cryptographic protection or encryption.”
Meta’s 2019 disclosure revealed that a routine security review had uncovered “some user passwords” stored in a readable format on its systems. While the company did not provide specific numbers, it anticipated notifying “hundreds of millions of Facebook Lite users, tens of millions of Facebook users,” and millions of Instagram users.
Meta stated that no external parties had access to the passwords, and no evidence of misuse or unauthorized access was found during the review.
Storing user passwords without proper security measures, such as encryption and access control, violates several General Data Protection Regulation (GDPR) articles, which require data controllers to ensure the security of personal data:
- Article 33(1) – Notification of a Personal Data Breach: Meta failed to promptly notify the DPC about the plaintext storage of user passwords, constituting a personal data breach.
- Article 33(5) – Documentation of a Personal Data Breach: Meta did not maintain proper documentation of the incident, violating requirements for record-keeping on personal data breaches.
- Article 5(1)(f) – Integrity and Confidentiality: Meta did not implement adequate security measures, leaving the passwords stored without encryption.
- Article 32(1) – Security of Processing: Meta did not apply sufficient technical and organizational measures to safeguard the passwords, such as encryption, to ensure data confidentiality and prevent unauthorized access.
Taking into account Meta’s voluntary notification to the Irish DPC, the regulatory body issued an official reprimand alongside the €91 million fine.
The DPC will release a full decision on the incident at a later date, detailing the conclusions of its investigation.
Source: BleepingComputer, Bill Toulas