Ireland’s Data Protection Commission (DPC) has fined Meta €91 million ($101.5 million) for committing the cardinal of cybersecurity—storing passwords in plain text.

Some of the worst data breaches have occurred because passwords were stored in plain text. Unfortunately, Meta doesn’t seem to have gotten the memo, with the company admitting in 2019 that it had stored passwords for hundreds of millions of users in plain text. The only redeeming element is that the files in question were apparently not accessible to anyone outside of Facebook, according to the company’s statement at the time.

Catch our chat on Meta’s $101M fine for plain text password storage!

To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.

While there’s no evidence the passwords were accessible externally, the fact the passwords were stored in plain text means there was always a risk they could have been exposed, by either a bad actor internally or via an external hack.

The DPC has reached its final decision after it began investigating Meta Platforms Ireland Limited (MPIL) in 2019. The investigation found that MPIL infringed on the GDPR in the following ways:

• Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
• Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
• Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
• Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

As a result of the investigation, MPIL will be reprimanded and fined the $101.5 million.

This Decision of the DPC concerns the GDPR principles of integrity and confidentiality. The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing. In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks. This decision emphasises the need to take such measures when storing user passwords.

The GDPR also requires data controllers to properly document personal data breaches, and to notify data protection authorities of breaches that occur. A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data. Therefore, when a controller becomes aware that a personal data breach has occurred, the controller should notify the supervisory authority without undue delay, in the manner prescribed by Article 33 GDPR.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Graham Doyle, Deputy Commissioner at the DPC. “It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”