Meta's Security Oversight Costs Millions in GDPR Penalties
Meta, Facebook's parent company, has been fined €91 million ($150 million AUD) by the Irish Data Protection Commission (DPC) for storing user passwords as unencrypted 'plaintext' on its internal systems. The penalty comes five years after the company first acknowledged the security lapse.
The DPC, acting as the supervisory authority for the European Union's General Data Protection Regulation (GDPR), issued the fine along with a formal reprimand.
Deputy Commissioner Graham Doyle emphasized the severity of the breach, stating, "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. The passwords in question are particularly sensitive, as they would enable access to users' social media accounts."
The DPC's decision outlined four specific GDPR violations:
- Failure to notify the DPC of a personal data breach concerning password storage (Article 33(1))
- Failure to document personal data breaches related to password storage (Article 33(5))
- Lack of appropriate technical or organizational measures to ensure password security (Article 5(1)(f))
- Failure to implement measures ensuring ongoing password confidentiality (Article 32(1))
A Meta spokesperson responded to the decision, saying, "As part of a security review in 2019, we found that a subset of Facebook users' passwords were temporarily logged in a readable format within our internal data systems.
“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry."
This fine is not the first significant penalty Meta has faced for data protection violations. In May 2023, the company was fined a record €1.2 billion for transferring European Facebook users' personal data to the United States in violation of GDPR rules.
The DPC has yet to publish its full report on the password storage incident.