Facebook parent company is based in Ireland, so faces Irish data protection rules.
Facebook and WhatsApp parent Meta been fined €91 million after it stored hundreds of millions of users’ passwords in plaintext on its internal systems.
According to The Record, Meta first announced the discovery of the engineering mistake back in 2019 and said it would be notifying everyone whose passwords were stored without protection, although it stressed the passwords were only exposed internally at Meta, and there was no evidence that any of them had been abused.
However the Irish Data Protection Commission found the incident was a breach of Meta’s legal duties under the EU’s General Data Protection Regulations, and has issued a reprimand and the monetary fine.
In particular, Meta was found to have infringed on the following four GDPR articles:
- Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext
- Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext
- Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing
- Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
Graham Doyle, deputy commissioner at the DPC, said: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” He said that the the passwords in this case are particularly sensitive, “as they would enable access to users’ social media accounts."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.