Meta Platforms Ireland Limited (MPIL) has been fined €91 million by the Irish Data Protection Commission (DPC) for storing hundreds of millions of users’ passwords in plain text.
According to the Irish watchdog, such storage directly violated data protection laws. The issue surfaced in 2019 during a routine security audit and involved Meta storing unencrypted passwords on its internal systems.
“As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” reads Meta’s security advisory. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
Although Meta reported no evidence of internal abuse, the sheer scale of the incident—involving millions of Facebook Lite and Instagram users—raised serious concerns.
After Meta disclosed the breach, the DPC launched an investigation culminating in a formal reprimand and a hefty fine.
“The Data Protection Commission (DPC) has today announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL),” reads the Commission’s statement. “This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).”
European data protection authorities backed the DPC’s decision, highlighting the critical need for robust internal security measures, especially for highly sensitive data like passwords.
Meta has since addressed the flaw and notified affected users. However, the DPC’s decision, motivated by the severity of the issue, seems to have sent a warning to tech giants that data privacy and GDPR compliance are not to be trifled with.
Although the DPC’s decision is not final, the watchdog promised to release its full decision and further details on the case at a later date.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024