Ireland’s Data Protection Commission (DPC) has announced a €91 million fine against Meta Platforms Ireland Limited (MPIL) following an inquiry into the company’s handling of user passwords. This decision marks a significant development in the enforcement of the General Data Protection Regulation (GDPR), highlighting the importance of secure data handling practices by major tech companies.
The inquiry, which began in April 2019, was initiated after MPIL reported that it had inadvertently stored certain users’ social media passwords in plaintext on its internal systems. Plaintext storage means the passwords were not encrypted or protected using cryptographic measures, leaving them vulnerable to unauthorized access. Although the incident was contained within Meta’s internal systems and no external parties gained access to the passwords, the company’s failure to ensure proper security led to a series of GDPR violations.
Findings and Violations
The DPC’s investigation concluded that MPIL had breached several key provisions of the GDPR:
- Failure to Notify the DPC of the Breach: MPIL violated Article 33(1) of the GDPR by failing to promptly inform the DPC of the personal data breach concerning the storage of user passwords in plaintext.
- Failure to Document the Breach: According to Article 33(5) GDPR, MPIL failed to properly document the breach, which is required to ensure transparency and accountability in data handling.
- Inadequate Security Measures: MPIL violated Article 5(1)(f) and Article 32(1) of the GDPR by not implementing appropriate technical and organizational measures to secure user passwords, leaving them susceptible to unauthorized processing.
These violations underscore the company’s inadequate response to the risks posed by insecure password storage and its failure to meet the regulatory standards set by GDPR.
Decision and Penalties
On September 26, 2024, the DPC issued its final decision, which included both a reprimand and a €91 million fine. The decision was reached after the draft was reviewed by Concerned Supervisory Authorities across the EU/EEA, as required under GDPR’s Article 60. No objections were raised, confirming the widespread support for the ruling.
Deputy Commissioner Graham Doyle emphasized the severity of the incident, noting that “user passwords should not be stored in plaintext, given the risk of abuse.” He stressed that the sensitivity of these passwords, which allow access to personal social media accounts, made it crucial for companies to implement robust security measures.
Series of Fines
This is not the first time Meta is facing fines under GDPR. In 2023, the company was hit with a massive $1.3 billion penalty for breaching EU data privacy regulations. Additionally, in 2022, Meta was fined $276 million following a 2021 data breach that compromised the personal information of over 533 million users.