Ireland’s data protection authority fined Meta €91 million for storing passwords in plain text
Ireland’s Data Protection Commission (DPC) has fined Meta €91 million following an investigation into a 2019 security breach. Meta was found to have incorrectly stored user passwords in plain text, allowing them to be accessed internally by thousands of employees.
The passwords had been stored in plain text on Meta’s servers since 2012. According to the DPC, more than 20,000 employees of the company were able to search the passwords. Although the passwords were not accessible to outside parties, the DPC concluded that Meta had violated several GDPR rules.
Investigations and violations
The security breach came to light in January 2019, when Meta announced that some user passwords were stored in plain text on its own servers. A month later, it was revealed that millions of Instagram passwords had also been stored incorrectly. At the time, Meta did not specify exactly how many accounts were involved in the incident. An internal source at the company indicated that possibly up to 600 million passwords were stored in plain text, according to Engadget.
The DPC stated that Meta had not reported the data breach in a timely manner and that the company had not taken adequate technical measures to ensure the security of user passwords. It also lacked proper documentation of the incident, also a violation of the GDPR.
Consequences for Meta
In addition to the fine, Meta also received an official reprimand from the DPC. Exactly what this means for the company will become clear later when the DPC’s full decision is made public. However, the €91 million fine highlights the seriousness of the violations and the responsibilities of companies like Meta to properly protect user data.