Meta Platforms Fined €91 Million for Storing Passwords in Plaintext
The Data Protection Commission (DPC) has announced its final decision regarding Meta Platforms Ireland Limited (MPIL) following an inquiry initiated in April 2019. This inquiry was prompted by MPIL’s notification to the DPC about the inadvertent storage of certain social media user passwords in plaintext, meaning they were not protected by cryptographic measures. The DPC submitted a draft decision to other Concerned Supervisory Authorities in June 2024, and since no objections were raised, the final decision was made public on September 26.
The DPC’s decision includes a reprimand and a substantial fine of €91 million. The findings indicate several infringements of the General Data Protection Regulation (GDPR). Specifically, MPIL failed to notify the DPC of the personal data breach, did not document the breach adequately, and did not implement appropriate technical and organizational measures to secure user passwords against unauthorized access.
Deputy Commissioner Graham Doyle emphasized the importance of not storing user passwords in plaintext due to the potential risks associated with unauthorized access to such sensitive information. The inquiry assessed whether MPIL had taken necessary steps to ensure the security of user passwords and complied with its obligations to report and document personal data breaches as required by the GDPR.
The decision highlights the need for data controllers to implement appropriate security measures and to notify authorities promptly in case of a breach. The DPC’s corrective actions include both a reprimand and administrative fines, reinforcing the importance of compliance with GDPR principles concerning data integrity and confidentiality.
