Irish Data Protection Commission fines Meta €91 million for passwords stored in plaintext

The Irish Data Protection Commission fined Meta €91 million — roughly $102 million — Friday stemming from an investigation launched in 2019 after the company notified regulators that it had inadvertently stored some passwords internally in plaintext.

The DPC’s investigation found that Meta’s handling of passwords violated several obligations under Europe’s General Data Protection Regulation concerning the handling of passwords connected to users of a given service, the DPC said in a statement Friday.

“The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing,” the body said in its statement. “In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks.”

A Meta spokesperson told CyberScoop Friday that the company found that a subset of Facebook users’ passwords were “temporarily logged in a readable format within our internal data systems.” The company took “immediate action to fix the error, and there is no evidence that these passwords were abused or accessed improperly.” 

The company “proactively flagged this issue” to the DPC, “and we have engaged constructively with them throughout this inquiry,” the spokesperson said.

In a March 2019 statement posted to the company’s website, Pedro Canahuati, Meta’s vice president of engineering, security and privacy, said the company discovered and fixed the issue, and decided to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” 

An update posted to the blog on April 18, 2019, said the company discovered additional logs of Instagram passwords having been stored in a readable format, impacting “millions of Instagram users.”