Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Alamy Stock Photo

Data Protection Commission fines Meta €91 million over inadequate security for users' passwords

An inquiry found multiple infringements.

THE DATA PROTECTION Commission has reprimanded social media company Meta and issued it a €91 million fine over a GDPR breach involving users’ passwords.

Meta, the parent company of social media apps like Facebook, Instagram, WhatsApp and Threads, was found to have been inadvertently storing some user passwords in plaintext on its internal systems instead of protecting them with encryption.

The breach affected millions of Facebook and Instagram users but the passwords had not been made available to external parties. 

The Data Protection Commission launched an inquiry in April 2019 after Meta notified it about the breach the previous month.

The scope of the inquiry assessed Meta’s Ireland-based operation’s compliance with the EU’s General Data Protection Regulation (GDPR).

In particular, it looked at whether Meta implemented measures to ensure an appropriate level of security and whether it complied with its obligations to document and notify the Commission of personal data breaches.

The inquiry found multiple infringements.

These include an initial failure to notify the commissioner of the data breach, failure to document the data breach, and failure to use appropriate security measures to protect the passwords.

Meta also failed to implement appropriate organisational measures around the confidentiality of the passwords, the inquiry found.

Announcing the decision, Deputy Commissioner Graham Doyle said that it is “widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data”.

“It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” Doyle said.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
JournalTv
News in 60 seconds