THE DATA PROTECTION Commission has reprimanded social media company Meta and issued it a €91 million fine over a GDPR breach involving users’ passwords.

Meta, the parent company of social media apps like Facebook, Instagram, WhatsApp and Threads, was found to have been inadvertently storing some user passwords in plaintext on its internal systems instead of protecting them with encryption.

The breach affected millions of Facebook and Instagram users but the passwords had not been made available to external parties. 

The Data Protection Commission launched an inquiry in April 2019 after Meta notified it about the breach the previous month.

The scope of the inquiry assessed Meta’s Ireland-based operation’s compliance with the EU’s General Data Protection Regulation (GDPR).

In particular, it looked at whether Meta implemented measures to ensure an appropriate level of security and whether it complied with its obligations to document and notify the Commission of personal data breaches.

The inquiry found multiple infringements.

These include an initial failure to notify the commissioner of the data breach, failure to document the data breach, and failure to use appropriate security measures to protect the passwords.

Meta also failed to implement appropriate organisational measures around the confidentiality of the passwords, the inquiry found.

Announcing the decision, Deputy Commissioner Graham Doyle said that it is “widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data”.

“It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle said.