Data Privacy Hub

Meta's Irish Entity notified data protection watchdogs in 2019 that the company had mistakenly been storing passwords in plain text within its internal systems. After a lengthy investigation, yesterday the Irish Data Protection Commission announced its official findings, handing Meta a $101 Million violation.

By storing user passwords in plain text, essentially without any encryption or even hashing, Meta opened itself up to inordinate risk and its users to needless privacy harms.

The DPC's decision cites violations of Articles 33(1), 33(5), 5(1), and 32(1), which correspond to the following in order:

   failure to notify regulators of a personal data breach concerning storage of user passwords in plaintext;
   failure to document personal data breaches concerning the storage of user passwords in plaintext;
   failure to use appropriate technical or organisational measures to ensure appropriate security of users’ passwords;
   failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

This fine represents the largest GDPR violation for Meta thus far in 2024, just a year after the organization received two separate fines of well over $100 Million in 2023.