The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users.

The incident occurred in 2019. At the time, Meta disclosed it publicly and notified DPC, which initiated an investigation into the tech giant’s practices for storing sensitive user data.

“In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption),” reads DPC’s announcement.

In the 2019 disclosure, Meta said that it had found “some user passwords” stored on its systems in a readable format during a routine security review at the beginning of the year.

Although the company did not say how many users were impacted, it estimated that it would notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users” and millions of Instagram users.

It is worth noting that the passwords were available to external parties and the review found no evidence of abuse or improper access.

Storing user account passwords without proper protections, such as encryption and access control constitutes a violation of multiple General Data Protection Regulation (GDPR) articles relating to measures data controllers implement to guarantee the security of people’s data:

• Article 33(1) – Notification of a Personal Data Breach: Meta failed to notify the DPC in a timely manner that they had stored user passwords in plaintext, which constitutes a personal data breach.
• Article 33(5) – Documentation of a Personal Data Breach: Meta did not properly document the personal data breaches related to the storage of user passwords in plaintext, failing to maintain adequate records of the incident.
• Article 5(1)(f) – Integrity and Confidentiality: Meta did not implement adequate security measures to ensure the protection of users’ passwords, as they were stored in plaintext, lacking encryption or cryptographic protection.
• Article 32(1) – Security of Processing:  Meta failed to implement appropriate technical and organizational measures to protect the passwords, such as encryption, which would have maintained the confidentiality of the data and reduced the risk of unauthorized access.

For the above violations, and taking into consideration that Meta informed the Irish data protection authority voluntarily DPC imposes an official reprimand and an administrative fine of €91 Million.

The DPC will publish at a later date its complete decision and information related to the incident, the agency said.