Meta fined €91m by Irish regulator for password storage breach

Ireland's Data Protection Commission (DPC) has imposed a fine of €91 million on Meta Platforms Ireland for breaching data protection regulations by inadvertently storing user passwords without proper security measures.

The decision, announced on 27 September 2024, follows an investigation that began in April 2019 after Meta notified the DPC of the incident.

The inquiry focused on Meta's compliance with the General Data Protection Regulation (GDPR), particularly regarding the implementation of appropriate security measures for password processing and adherence to obligations for documenting and reporting personal data breaches.

Deputy commissioner at the DPC, Graham Doyle, emphasised the gravity of the situation, stating, "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

The DPC's decision outlined four specific GDPR infringements by Meta: failure to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext; failure to document personal data breaches related to the storage of user passwords in plaintext; lack of appropriate technical or organisational measures to ensure adequate security of users' passwords against unauthorised processing; and failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

In addition to the substantial fine, the DPC issued a reprimand to Meta as part of its corrective powers under the GDPR.

The incident came to light in March 2019 when Meta discovered it had inadvertently stored certain user passwords in 'plaintext' on its internal systems, meaning they were not protected by cryptographic measures or encryption. Meta publicly disclosed this information at the time, assuring users that the passwords were not accessible to external parties.

This decision underscores the importance of the GDPR principles of integrity and confidentiality. The regulation requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as risks to service users and the nature of the data processing.

The DPC's ruling also highlights the obligation for data controllers to properly document and promptly notify authorities of personal data breaches, as stipulated by Article 33 of the GDPR.

This latest fine brings the total amount levied against Meta by the DPC to €2.5 billion for GDPR breaches since its introduction in 2018. The Irish regulator serves as the lead EU privacy watchdog for many major US technology companies due to their European operations being based in Ireland.

Meta has not yet commented on whether it intends to appeal the decision. The full text of the DPC's decision is expected to be published in the coming days, providing further details on the case and its implications for data protection practices in the tech industry.



Share Story:

Recent Stories


The future-ready CFO: Driving strategic growth and innovation
This National Technology News webinar sponsored by Sage will explore how CFOs can leverage their unique blend of financial acumen, technological savvy, and strategic mindset to foster cross-functional collaboration and shape overall company direction. Attendees will gain insights into breaking down operational silos, aligning goals across departments like IT, operations, HR, and marketing, and utilising technology to enable real-time data sharing and visibility.

The corporate roadmap to payment excellence: Keeping pace with emerging trends to maximise growth opportunities
In today's rapidly evolving finance and accounting landscape, one of the biggest challenges organisations face is attracting and retaining top talent. As automation and AI revolutionise the profession, finance teams require new skillsets centred on analysis, collaboration, and strategic thinking to drive sustainable competitive advantage.