Meta Platforms Ireland Limited (MPIL) has recently come under fire from the Data Protection Commission (DPC) in Ireland, resulting in a hefty fine of €91m ($102m). The fine was imposed due to MPIL’s mishandling of social media users’ passwords, as well as infringements of GDPR regulations.

The investigation by the DPC was initiated in April 2019 when MPIL admitted to storing certain user passwords in ‘plaintext’ on its internal systems, without adequate encryption or protection. This raised significant concerns about the potential abuse of this sensitive information.

Graham Doyle, Deputy Commissioner at the DPC, highlighted the seriousness of the situation, stating that storing user passwords in plaintext poses significant risks of unauthorized access and misuse.

Meta’s spokesperson responded to the issue, acknowledging the error and assuring that immediate action was taken to rectify the situation. They emphasized that there was no evidence of the passwords being improperly accessed or abused.

Despite Meta’s efforts to address the issue, the DPC decided to levy a substantial fine against the company. The incident serves as a stark reminder to organizations about the importance of robust security measures and prompt reporting of data breaches to regulatory authorities.

Meta’s GDPR Breach

The GDPR requires stringent measures to protect user data, including appropriate security controls and breach notification procedures. In this case, Meta failed to meet these requirements, leading to the GDPR violation and subsequent fine.

The DPC’s decision underscores the crucial role of security measures in safeguarding user passwords and personal data. Organizations must implement robust practices to mitigate risks and ensure compliance with GDPR regulations.