Meta Fined €91m for Storing Social Media Users' Passwords in Plaintext
Meta Platforms Ireland Limited (MPIL), the European arm of Meta (formerly Facebook), has been fined €91m ($102m) by the Irish Data Protection Commission (DPC) for mishandling social media users' passwords. The penalty, imposed by the Irish Data Protection Authority, stems from a 2019 incident where MPIL stored certain passwords in plaintext on its internal systems.
The DPC launched an initial inquiry in April 2019 after MPIL notified them of the breach. Meta proactively flagged the issue and engaged with the DPC throughout the investigation. The inquiry revealed that Meta did not use appropriate technical or organizational measures to ensure the security of users' passwords, nor did it implement measures to maintain the ongoing confidentiality of user passwords. This infringement violated the GDPR principles of integrity and confidentiality, which require data controllers to evaluate risks and implement mitigation measures, especially when storing user passwords.
The passwords in question are particularly sensitive as they would enable access to users' social media accounts. The DPC's decision highlights the importance of data controllers implementing robust security measures to protect personal data.
The DPC fined MPIL €91m for its failure to adequately protect users' passwords. This penalty serves as a reminder for all data controllers to prioritize data security and comply with GDPR principles. Meta has not disputed the DPC's findings and has committed to taking necessary steps to prevent such incidents in the future.
