Irish Data Protection Commission fines Meta €91 million for improper password storage

The Irish Data Protection Commission (DPC) has imposed a €91 million fine on Meta Platforms Ireland Limited (MPIL) following an inquiry into the company’s improper storage of user passwords. The investigation, initiated in 2019, came after Meta disclosed that certain user passwords were stored in an unsecured, readable format within its internal systems.

 

In March 2019, Meta acknowledged the issue, stating, “we found that some user passwords were being stored in a readable format within our internal data storage systems.” Meta emphasized that their investigation revealed no evidence of internal misuse or unauthorized access to these passwords. Despite this assurance, the DPC launched an inquiry to assess potential violations of the European Union’s General Data Protection Regulation (GDPR).

 

After a detailed investigation, the DPC concluded that Meta had breached several key provisions of the GDPR. The commission found that Meta had failed to implement adequate technical measures to protect user data, which violated Article 5. Additionally, Meta violated Article 33 by not promptly notifying the Irish DPC about the personal data breach. Furthermore, the DPC determined that Meta did not ensure an appropriate level of security, as outlined in Article 32 of the GDPR. The fine was issued in accordance with Articles 58 and 83 of the regulation.

 

Graham Doyle, Deputy Commissioner of the DPC, stressed the significance of securing user data: “User passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

 

This latest fine is part of a series of regulatory actions against Meta for failing to adhere to European data protection standards. In March 2022, Meta was fined €17 million by the Irish DPC after several data breaches impacted around 30 million users. More recently, in May 2023, the DPC issued a record-breaking €1.2 billion fine against Meta for GDPR violations related to transferring European user data to the United States.