Irish DPC fines Meta €91 million over password management lapse

Meta had been storing millions of users’ passwords in plaintext, without cryptographic protection, in an internal database, the firm found in 2019.

This article is exceptionally available for free! Want access to more exclusive content like this? Discover all the benefits of Euractiv Pro.

Request a trial
Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

Entrance sign at Meta's headquarters complex in Menlo Park, California [Image credit: Nokia621/Wikimedia Commons]

Eliza Gkritsi Euractiv 27-09-2024 13:00 1 min. read Content type: News Euractiv is part of the Trust Project

The Irish Data Protection Commission (DPC) fined Meta €91 million for "inadvertently" storing user passwords without cryptographic protection or encryption, closing a five-year-old case, according to a Friday press release.

The DPC investigation started in April 2019 after Meta's Ireland entity notified the authorities in charge of regulating Facebook and Instagram parent in the EU.

The company had been storing social media users' passwords in plain text in its internal databases, meaning they were available to thousands of employees, CNN reported at the time. Meta discovered the exposed passwords in a security review in January 2019, with millions of users affected.

The DPC submitted its draft decision to other EU and EEA authorities in June and received no objections.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Deputy Commissioner at the DPC, Graham Doyle, in the press release.

Meta was found in breach of the General Data Protection Regulation (GDPR), specifically for not securing the passwords, failing to notify the authority, and not documenting the data breach.

[Edited by Alice Taylor-Braçe]

Subscribe to our newsletters

Subscribe