DPC fines Meta €91m over unencrypted passwords
The Data Protection Commission (DPC) has announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL). This inquiry was launched in April 2019, after Meta notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (ie without cryptographic protection or encryption).
The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the General Data Protection Regulation (GDPR). No objections to the draft decision were raised by the other authorities.
The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to MPIL yesterday 26 September, includes a reprimand and a fine of €91million.
Deputy Commissioner at the DPC, Graham Doyle said: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
Meta told Reuters it has no evidence that any of the exposed passwords were misused.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers