Irish DPC Fines Meta $102M for GDPR Violations Over Improper Password Storage

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited (MPIL) €91 million ($102 million) for breaching the European Union’s General Data Protection Regulation (GDPR).

The violations stem from Meta’s improper storage of user passwords without encryption, a significant failure to secure sensitive personal data.

In 2019, Meta informed both the Irish DPC and its users that “millions” of passwords had been stored in “plaintext” on the company’s internal systems. The DPC disclosed this information in a press release on Friday, detailing how the social media giant failed to implement necessary safeguards.

According to the decision, which was finalized after a draft ruling in June by other supervisory authorities under Article 60 of the GDPR, Meta violated several key provisions of the regulation. These include Articles 5, 32, and 33, which pertain to the appropriate security measures for protecting personal data.

The Irish DPC highlighted multiple failures on Meta’s part. The company did not notify the agency about data breaches involving the unencrypted passwords, failed to implement suitable technical and organizational measures to secure the passwords from unauthorized access, and neglected to ensure an adequate level of security in line with the associated risks. These shortcomings compromised the “ongoing confidentiality of user passwords,” the DPC alleged.

Graham Doyle, deputy commissioner at the Irish DPC, emphasized the importance of properly securing sensitive data such as user passwords. “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Doyle stated. He added that the passwords in question were particularly sensitive since they granted access to users’ social media accounts.

Meta has yet to provide a public response to the DPC’s ruling.

This fine is the first significant penalty levied against Meta by the Irish DPC since the company’s record-breaking $1.3 billion fine in May 2023, which involved illegal transfers of user data between the EU and the U.S.

The ruling comes on the heels of a recent Federal Trade Commission study that criticized social media giants like Instagram for creating “vast surveillance” systems, which expose users to numerous risks and violate privacy laws, especially those aimed at protecting children. 

By fLEXI tEAM