The Irish Personal Protection Agency has fined Meta over 13.6 billion ISK. (€91 million) for keeping social media users’ passwords unencrypted.
The investigation into the case began in April 2019 after Meta Platforms Ireland Limited (MPIL) notified the data protection authority that the company had accidentally stored some social media users’ passwords in clear text, i.e. without cryptographic protection or encryption, on its internal systems.
The Irish data protection authority’s press release stated that the passwords had not been accessed from outside.
The conclusion of the Irish Data Protection Authority’s decision states, among other things, that MPIL has not adopted adequate technical or organizational measures to ensure the security of its users’ passwords against unlawful processing, nor has it implemented adequate security measures to ensure the confidentiality and security of passwords.