A 2019 incident in which user passwords were inadvertently stored in plaintext has netted a €91 million GDPR fine for Meta from Ireland’s DPC. Access to the password storage was limited to Meta workers on an internal company network, but the company was primarily flagged for failure to maintain proper security standards and failure to document and notify in a timely manner.
Meta GDPR fine comes with reprimand
The GDPR fine was issued to Meta Platforms Ireland Limited (MPIL), the company’s Irish branch and center of its EU operations. In March 2019 MPIL notified the DPC that a January security review had caught a total of hundreds of millions of credentials for Facebook, Facebook Lite and Instagram users sitting on the company network in plaintext. The DPC launched an inquiry into the password storage issue in April of that year to determine potential GDPR violations.
As has happened before with Irish DPC investigations into Meta, the process ended up taking quite some time. The draft decision was not submitted to the EU’s other supervisory authorities until June of this year, and met with no objection. The Irish DPC found violations of Articles 5, 32 and 33 of the GDPR: failure to notify the DPC about the password storage in a timely manner, failure to document any potential personal data breaches connected to the storage, and a lack of appropriate technical or organizational measures to ensure the security of stored passwords.
Meta receives a fine total equivalent to about $120 million USD for this, in addition to a reprimand pursuant to GDPR Article 58. Meta has previously said that it found no outside access to the plaintext password storage, something that appears to be supported by the GDPR ruling, and no indication that any were ever abused. Hundreds of millions of Meta service users were nevertheless notified of password exposure and prompted to change their credentials in 2019. Though there were no documented instances of it actually happening, the fact that the exposed passwords could have been used to access social media accounts appears to have been a factor in the GDPR fine total.
Improper password storage can draw substantial GDPR fines
The incident seems like another relatively modest GDPR fine for Meta after an extremely long investigation from Ireland, but the DPC did make a statement regarding regulation of internal password storage and expectation for all organizations. Data controllers are required to protect stored user credentials with adequate security at all times, and must consider the level of risk to users and the nature of processing when implementing mitigation measures during processing and transit. Even if the exposure is only internal, the ultimate penalty decision may well hinge on what could have theoretically happened should an outside actor have gained access.
Though there have been questions about the amount of some of its individual penalties, Meta has now racked up a total of €2.5 billion in GDPR fines since the regulation went active in 2018. Almost half of that total belongs to a 2023 decision for €1.2 billion involving Meta’s data transfers to the US (an amount that remains under appeal as of this writing), and another €265 million is tied to the scraping and dumping of the contents of over half a billion Facebook profiles in 2018 and 2019. Nearly all of Meta’s GDPR fine total has come in since 2021 despite some issues dating back to the very beginning of the regulation’s enforcement.
Regulation has made Meta’s relationship with the EU increasingly shaky over time, and not just due to the existing GDPR fines it has received. In early 2022 Meta threatened to pull some of its services from Europe over the new international data transfer rules that led to its record-setting fine, then followed that up with a clarifying statement that it did not intend to pull services, then later in the year once again appeared to threaten to pull Facebook and Instagram from the region. It has also indefinitely suspended AI training in the bloc, and with it the rollout of some of its AI products, due to “uncertainty” over how the GDPR and the new AI Act rules will be applied.
Prior guidance on password storage and related security measures calls for encryption that is appropriate to level of risk or sensitivity of data, and regular review of these solutions to ensure that they are keeping pace with modern standards. The GDPR does not specifically take on password security standards, but sweeps login credentials in with general standards for protection of sensitive personal data. Most of what the GDPR prescribes specific to passwords is at least baseline standard for security hygiene practices, but one particular point of note is its requirement that reviews be conducted regularly to ensure that systems are adequate to modern threat levels and that mistakes such as this one are not slipping through the cracks.
