Passwords in plain text: Meta must pay 91 million euros

Meta must again pay a fine under the General Data Protection Regulation (GDPR). The Irish data protection supervisory authority DPC Ireland announced today that it has issued a fine notice to Meta Platforms Ireland Limited. The company is now to pay 91 million euros. In 2019, the company itself reported that it had inadvertently stored millions of passwords for Facebook and Instagram users in plain text. This was discovered during a security review; thousands of employees could theoretically have had access.

Gross breach of organizational duties

The DPC considered this to be a gross breach of the organizational obligations that must be taken under the GDPR to protect personal data. "It is generally accepted that user passwords should not be stored in plain text due to the risk of misuse by individuals accessing such data," said DPC Deputy Commissioner Graham Doyle. The passwords in the specific case were "particularly sensitive as they would allow access to users' social media accounts." The authority also accuses the company of reporting the incident too late and not documenting it properly.

The then Federal Data Protection Commissioner Ulrich Kelber criticized the incident in 2019 with harsh words. Due to its European headquarters, DPC Ireland is the lead authority for the Meta Group and is conducting numerous proceedings against the company. Many of the proceedings, such as the one decided by the DPC, have been dragging on for half a decade. Most recently, however, Meta has been fined under the GDPR in several proceedings.

(mma)