Meta fined 91m euro over password breach

The issue applied to millions of Facebook and Instagram users.

Cillian Sherlock
Friday 27 September 2024 12:49 BST
Meta inadvertently stored certain user passwords in plaintext (PA)
Meta inadvertently stored certain user passwords in plaintext (PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Facebook parent company Meta has been fined 91 million euro by the Data Protection Commission.

It follows an investigation into Meta inadvertently storing certain user passwords in plaintext on its internal systems, meaning they were not protected by encryption.

The issue applied to millions of Facebook and Instagram users.

Meta Ireland notified the DPC of the breach in March 2019. The passwords were not made available to external parties.

The DPC found a range of infringements of GDPR rules including failing to notify the commissioner of the data breach, failing to document the data breach, not using appropriate security measures to protect the passwords, and not implementing appropriate organisational measures around the confidentiality of the passwords.

Deputy Commissioner Graham Doyle said: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.

“It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in