Meta Handed $100 Million Fine in Ireland Over Password Storage

By Mauro Orru

Ireland's data protection watchdog fined Meta Platforms 91 million euros ($101.7 million) after the Facebook and Instagram owner stored passwords of some social media users on its internal systems without proper safeguards.

The Irish Data Protection Commission launched a probe in 2019 after it said Meta notified officials that it had inadvertently stored certain passwords in plaintext, without cryptographic protection or encryption. That inquiry focused on whether Meta was complying with the European Union's General Data Protection Regulation, the bloc's strict data-privacy and security law.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, deputy commissioner at the Irish Data Protection Commission.

In their decision, Irish officials said Meta had failed to notify the commission of a personal data breach and document breaches in relation to the storage of user passwords in plaintext, in breach of the GDPR.

A Meta spokesperson confirmed the group had found a subset of Facebook users' passwords were temporarily logged in a readable format in its internal data systems, saying the company took immediate action to address the issue and that there is no evidence those passwords had been abused or accessed improperly.

"We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry," the spokesperson added.

Write to Mauro Orru at mauro.orru@wsj.com

(END) Dow Jones Newswires

September 27, 2024 07:26 ET (11:26 GMT)

Copyright (c) 2024 Dow Jones & Company, Inc.