The data-protection watchdog has reprimanded and fined social-media company Meta Ireland €91 million for breaches of the GDPR rules on password storage.

The Data Protection Commission (DPC) had launched an inquiry in 2019, after Meta notified the DPC that it had inadvertently stored certain passwords of social-media users in ‘plaintext’ – without cryptographic protection or encryption – on its internal systems.

Meta is the parent company of Facebook and Instagram.

The DPC decision found four separate infringements of the GDPR rules on password storage.

Risks

No objections to the decision were raised by other European supervisory authorities, who were notified of the decision as required under the GDPR.

The passwords were not made available to external parties.

Graham Doyle (deputy commissioner, DPC) commented: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.

“It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social-media accounts," he added.