The Irish Data Protection Commission (DPC) fined Meta €91 million for “inadvertently” storing user passwords without cryptographic protection or encryption, closing a five-year-old case, according to a Friday press release.
The DPC investigation started in April 2019 after Meta’s Ireland entity notified the authorities in charge of regulating Facebook and Instagram parent in the EU.
The company had been storing social media users’ passwords in plain text in its internal databases, meaning they were available to thousands of employees, CNN reported at the time. Meta discovered the exposed passwords in a security review in January 2019, with millions of users affected.
The DPC submitted its draft decision to other EU and EEA authorities in June and received no objections.
“There is no evidence that these passwords were abused or accessed improperly,” and Meta “proactively” notified the lead regulator, the DPC, a company spokesperson told Euractiv in an email.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Deputy Commissioner at the DPC, Graham Doyle, in the press release.
Meta was found in breach of the General Data Protection Regulation (GDPR), specifically for not securing the passwords, failing to notify the authority, and not documenting the data breach.
[Edited by Alice Taylor-Braçe]