The decision comes from a 2019 inquiry in which millions of Facebook and Instagram user passwords were stored in a readable format.
Ireland’s Data Protection Commission (DPC) has fined social media giant Meta €91m for breaching the General Data Protection Regulation (GDPR) in relation to storing user passwords.
The fine announced today (27 September) follows an inquiry that was first launched in April 2019 after Meta revealed it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems.
At the time, between 200m and 600m user passwords were stored in a readable format in an internal system that employees could access.
Following an investigation, the DPC found that Meta had breached the GDPR by failing to notify the DPC, failing to document the breach and failing to use appropriate measures to ensure the correct level of security and confidentiality.
The DPC submitted a draft decision to the other concerned authorities across the EU/EEA earlier this year and no objections were raised.
Graham Doyle, deputy commissioner at the DPC, said it’s widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that can arise when people have access to this data.
“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” he said.
In a statement sent to SiliconRepublc.com, a spokesperson for Meta said the passwords were temporarily logged in a readable format within our internal data systems but that there is no evidence that the passwords were abused or accessed improperly.
“We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
In 2022, the DPC also fined Meta €265m following a data breach that affected millions of Facebook users. However, the tech giant has appealed this fine and the case has been adjourned by the High Court until another appeal on a related case is resolved in the EU courts.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.