Meta Platforms Ireland Limited has once again been fined by the Irish Data Protection Commission (DPC) for EU GDPR violations. This time, the social media giant was fined €91m ($101m) for storing users’ passwords without encryption or cryptographic protection.
The DPC started investigating Meta in April 2019 after it notified the Commission that some of the passwords of social media users were “inadvertently stored” in ‘plaintext’ on its internal systems. At the time the number of users affected was not publicized.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Graham Doyle, Deputy Commissioner at the DPC.
The DPC says that this decision highlights the necessity for data to controllers to implement appropriate security measures. These should take into account factors such as risks to users and the nature of data processing.
“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle added.
EU GDPR violations
According to the DPC, Meta contravened the following articles of GDPR:
- Article 33(1) by failing to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
- Article 33(5) by failing to document personal data breaches concerning the storage of user passwords in plaintext;
- Article 5(1)(f) for not using proper technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
- Article 32(1) for not implementing such measures to ensure a proper security level to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
Other fines for Meta Ireland
Meta Ireland has received multiple fines from the Irish DPC over its failure to adhere to GDPR. Some of the most recent fines include:
- May 2023: A fine of €1.2 billion ($1.3 billion) over personal data transfers to the US in connection with the delivery of its Facebook service.
- January 2023: A combined fine of €390m ($409m), €210m for breaches of GDPR relating to its Facebook service and €180m for breaches in relation to its Instagram service.
- November 2022: A fine of €265m ($275m) fine for data protection “by design and default” failings with a software vulnerability leading to the exposure of personal details of 533 million users.