Facebook — Enforcement
Executive Summary
The Irish DPC fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext on internal systems without cryptographic protection, violating GDPR Articles 5(1)(f) and 32(1). The inquiry followed Meta's self- report of the issue in March 2019.
What Happened
On September 26, 2024, Ireland's Data Protection Commission fined Meta €91 million for storing hundreds of millions of Facebook and Instagram user passwords in plaintext without encryption on its internal systems. The inquiry was launched in April 2019 after Meta self-reported the issue in March 2019. The decision found Meta violated multiple GDPR provisions, including failing to implement appropriate security measures, failing to notify the breach promptly, and failing to document the breach properly.
Who Is Affected
The incident affected hundreds of millions of Facebook and Instagram users whose passwords were stored without cryptographic protection on Meta's internal systems. The passwords were not made available to external parties, but remained accessible to Meta personnel internally. The affected users span Meta's global user base, though the enforcement action was handled by Ireland's regulator under GDPR rules.
Why It Matters
This case reinforces that storing passwords in plaintext is a serious GDPR violation, even when data is not exposed externally, because such passwords enable access to users' social media accounts and present risks of internal abuse. The €91 million fine adds to Meta's history of major GDPR penalties, including a record €1.2 billion fine in 2023 for data transfers and a €265 million fine in 2022 related to data scraping. The decision demonstrates that companies must implement basic security measures like password encryption and properly document and report data breaches.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources