Facebook owner Meta has been reprimanded and fined €91 million by the Irish Data Protection Commission for improperly storing user passwords.
The fine, which was imposed under General Data Protection Regulations (GDPR), relates to an incident in 2019 when it was discovered the company had stored some user passwords on its systems in plaintext, which is an easily readable format, instead of applying encryption or other cryptographic protection.
There was no evidence that anyone outside the company had accessed the passwords, but the issue affected millions of users, including Instagram, Facebook and Facebook Lite users.
Meta’s systems would usually “hash” and “salt” the passwords, and use a cryptographic key to replace them with a random set of characters so log-ins can be validated without storing the password in plaintext.
“As part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems,” a Meta spokesperson said.
“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly. We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
The data protection regulator determined the company had failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext, as it was obliged to under GDPR. It also failed to document personal data breaches concerning the storage of user passwords in plaintext, and did not use appropriate measures to ensure the security of users’ passwords from unauthorised access.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said deputy commissioner at the DPC, Graham Doyle.
“It must be borne in mind, that the passwords [that were] the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
The commission said it will publish the full decision and further related information in due course.
The fine is the latest imposed by the DPC on Meta. The most significant penalty was imposed in May 2023, when Meta was fined a record €1.2 billion for violating European privacy rules, following a long investigation into transfers by Facebook of Europeans’ personal data to the US.
A fine of €265 million was imposed the year before over a “collated” set of Facebook personal data that had been uploaded onto an online forum.
- Sign up for the Business Today newsletter and get the latest business news and commentary in your inbox every weekday morning
- Opt in to Business push alerts and have the best news, analysis and comment delivered directly to your phone
- Join The Irish Times on WhatsApp and stay up to date
- Our Inside Business podcast is published weekly – Find the latest episode here