Ireland’s Data Protection Commission (DPC) has fined Meta €91 million for a data breach that could have exposed millions of passwords.
The DPC inquiry began in April 2019 after Meta—the owners and operators of Facebook, Instagram, and WhatsApp—notified the regulator that some social media users’ passwords had been stored in plaintext, meaning they were not encrypted or otherwise protected.
This oversight made millions of Facebook and Instagram users’ passwords vulnerable to unauthorised access by thousands of Meta employees. However, Meta stated at the time that no evidence suggested these passwords were misused.
The investigation uncovered four breaches of the General Data Protection Regulation (GDPR), including failing to notify the DPC of the data breach, not adequately documenting it, and not using sufficient technical or organisational measures to safeguard the passwords.
According to the DPC, this failure to encrypt user passwords violated Articles 33 and 32 of the GDPR, which require companies to ensure data security and inform authorities of breaches promptly.
The DPC’s deputy commissioner Graham Doyle said:
It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.
“It must be borne in mind that the passwords that were the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” he added.
Meta claimed it had discovered the problem during a routine security review and took immediate steps to resolve it. Despite the company’s cooperation, the DPC’s decision resulted in a fine and formal reprimand for failing to uphold adequate security standards.
