The Irish Data Protection Commission (DPC) has announced its final decision following an investigation into Meta Platforms Ireland Limited (MPIL). The investigation, which began in April 2019, concluded with a fine of 91 million euros and a reprimand for the company.
Background of the investigation
In March 2019, MPIL notified the DPC that certain social media user passwords had been accidentally stored in “plaintext” on their internal systems, meaning without cryptographic protection or encryption. Although these passwords were not made available to external parties, the incident posed a significant risk to user data security.
Detected violations
The DPC’s decision records the following infringements of the General Data Protection Regulation (GDPR):
Failure to comply with Article 33(1) of the GDPR by not notifying the DPC of a personal data breach related to the storage of user passwords in plaintext.
Failure to comply with Article 33(5) of the GDPR by not documenting personal data breaches related to the storage of user passwords in plaintext.
Failure to comply with Article 5(1)(f) of the GDPR by not using appropriate technical or organizational measures to ensure adequate security of user passwords against unauthorized processing.
Failure to comply with Article 32(1) of the GDPR by not implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to guarantee the continuous confidentiality of user passwords.
Official statements
Graham Doyle, Deputy Commissioner of the DPC, commented: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise when individuals access such data. It should be noted that the passwords under consideration in this case are particularly sensitive, as they would allow access to users’ social media accounts.”
Corrective measures
The decision includes the following corrective measures:
A reprimand in accordance with Article 58(2)(b) of the GDPR.
Administrative fines totaling 91 million euros in accordance with Articles 58(2)(i) and 83 of the GDPR.
Conclusion
This case highlights the importance of implementing appropriate security measures when processing personal data, especially when dealing with sensitive information such as user passwords. It also underscores the need to properly document and notify personal data breaches to data protection authorities.
The DPC has announced that it will publish the full decision and related information in due course.
via: Data Protection.