The Irish Data Protection Commission has sent out a warning to all online firms over how they store passwords after whacking Meta Platforms with a €91m fine for failing to encrypt millions of users’ personal data, bringing the company’s total GDPR fines over the past two years to more than €2bn.
The case, which dates back to 2019, when Meta discovered during a routine security review that “some user passwords” were stored in a readable format on its internal systems, without encryption or cryptographic protection. The company notified the Irish DPC of the issue, which triggered an in-depth investigation.
However, Meta said no passwords were exposed to external parties, adding that it found no evidence of abuse or improper access to the stored data.
Even so, the Irish DPC ruled that storing user passwords without encryption constituted a violation of several provisions under GDPR, including notification of data breaches, documentation of breaches, data integrity and confidentiality and security of processing, the Irish DPC stated.
While Meta did not disclose the exact number of users affected, it is estimated that millions of users of Facebook, Facebook Lite and Instagram could have been affected.
The regulator warned that data controllers must ensure robust security measures are implemented to protect sensitive user information.
Irish DPC deputy commissioner Graham Doyle said; “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.
“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
A Meta spokesperson said the password storage issue was an “error” that was promptly addressed, adding: “We proactively flagged this issue to our lead regulator, the Irish DPC and have engaged constructively with them throughout this inquiry.”
The penalty means Meta and its subsidiaries have now been fined more than €2bn over the past two years for breaches of GDPR, including €1.2bn for violating rules on transferring user data outside the EU, €405m for failing to have a valid legal basis to process user data for ad targeting and €5.5m for forcing users to share their personal data.
Related stories
Meta rocked by EU data transfer block and €1.2bn fine
Brussels threatens ‘toxic’ TikTok Lite with EU-wide ban
Tech giants under the cosh as Brussels enforces DMA
ICO yet to decide if ad-free subscriptions are unlawful
Meta hit by double whammy over ‘illegal’ data practices
Be the first to comment on "Fresh encryption warning as Meta fines now top €2bn"