DPC imposes fine on Meta of € 91M for unsafe password storage
The Irish Data Protection Commission (DPC) has fined Meta € 91 million for storing hundreds of millions of passwords in plaintext instead of an encrypted format.
In March 2019, Meta discovered that the passwords of some social media users were stored in plaintext. This only happened on Meta’s internal systems, and there was no evidence that any of the passwords had been abused.
The Menlo Park-based tech company reported the incident to the DPC, which was the lead data protection authority (DPA) in Europe since the company’s headquarter is located in Ireland.
In April 2019, the Irish DPA launched an investigation to assess Meta’s compliance with the General Data Protection Regulation (GDPR). The DPC specifically wanted to see whether Meta took measures to ensure a proper level of security with the processing of passwords and secondly, whether the company complied with its obligation to report personal data breaches to the DPC.
Researchers completed the investigation over five years, during which time they found four separate violations of the GDPR.
First, Meta failed to notify the DPC that hundreds of millions of user passwords were stored in plaintext, which infringes Article 33(1) of the GDPR. In addition, the company failed to document the storage of passwords in plaintext, which violates Article 33(5) of the GDPR.
Furthermore, Meta neglected to implement appropriate technical or organizational measures to secure users’ passwords against unauthorized processing, which is a violation of Article 5(1) of the GDPR.
Lastly, Meta did not implement appropriate technical and organizational measures to ensure the confidentiality of user passwords, which infringes Article 32(1) of the GDPR.
Before imposing a reprimand and a € 91 million fine, the DPC submitted a draft of its decision to other concerned supervisory authorities across Europe. None of them objected to the conclusions, making the DPC’s decision final.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” Deputy Commissioner at the DPC Graham Doyle commented in a statement.
According to Reuters, a Meta spokesperson said the company took immediate action to rectify the error after identifying it during a security review in 2019 and that there is no evidence the passwords were abused or accessed improperly.
Your email address will not be published. Required fields are marked