Privacy & Information Security Law Blog

On September 27, 2024, the Irish Data Protection Commission (the “DPC”) announced it had issued a €91 million fine (approx. $101.5 million) and a reprimand against Meta Ireland for inadvertently storing passwords of certain users in plaintext on its internal systems (i.e., without cryptographic protection or encryption). The affected passwords were not made available to external parties.

In its decision, the DPC considered that Meta Ireland: (1) failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext; (2) failed to document personal data breaches concerning the storage of user passwords in plaintext; (3) did not use appropriate technical or organizational measures to ensure appropriate security of users’ passwords against unauthorized processing; and (4) did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

Before the decision was finalized by the DPC, it was submitted to the remaining concerned supervisory authorities in the EU under Article 60 of the GDPR. The remaining supervisory authorities did not raise any objections to the DPC’s decision.