Meta had told the DPC it had inadvertently stored certain passwords of social media users in 'plaintext' on its internal systems, without cryptographic protection or encryption

Meta fined €91m by DPC for password storage issues

by · RTE.ie

Meta, the parent company of Facebook, Instagram and WhatsApp, has been fined €91m by the Irish Data Protection Commission (DPC).

It follows an investigation into the storage of passwords by Meta.

The inquiry was launched in April 2019, after Meta notified the DPC that it had inadvertently stored certain passwords of social media users in "plaintext" on its internal systems, without cryptographic protection or encryption.

The investigation found four breaches of the General Data Protection Regulation (GDPR) relating to failures to notify and document personal data breaches, as well as failures to use appropriate technical or organisational measures to ensure the security of users' passwords.

The DPC submitted a draft decision to its fellow European data watchdogs in June and no objections were raised by the other authorities.

The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, was notified to Meta yesterday.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Deputy Commissioner at the DPC, Graham Doyle.

"It must be borne in mind, that the passwords that were the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts," Mr Doyle said.

In 2019, Meta issued a statement outlining that the password storage issue had been uncovered as part of a routine security review.

The company said it related to hundreds of millions of Facebook users and millions of Instagram users who would be notified about the issue.

"Our investigation has determined that these stored passwords were not internally abused or improperly accessed," Meta said at the time.

In a statement, Meta said that as part of a security review in 2019, it found that a subset of Facebook users' passwords were temporarily logged in a readable format within its internal data systems.

"We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly," a spokesperson said.

"We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry," Meta said.