Meta, password in chiaro. Sanzione di 91.000.000 euro

Irish Data Protection Commission fines Meta Ireland €91 million

27th September 2024

The Data Protection Commission (DPC) has today announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL). This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems

...

Background

In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption). MPIL also published information regarding this incident in March 2019^[1]. These passwords were not made available to external parties.

The scope of the Inquiry, which commenced in April 2019, assessed MPIL’s compliance with the General Data Protection Regulation (GDPR), and in particular, whether MPIL implemented measures to ensure a level of security appropriate to the risks associated with the processing of passwords, and whether MPIL complied with its obligations to document, and notify the DPC of, personal data breaches.

This Decision of the DPC concerns the GDPR principles of integrity and confidentiality. The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing. In order to maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks. This decision emphasises the need to take such measures when storing user passwords.