DPC (Ireland) - Meta Ireland
| DPC - Meta Ireland | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 32(1) GDPR Article 33(1) GDPR Article 58(2)(b) GDPR Article 58(2)(i) GDPR Article 60 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 01.04.2019 |
| Decided: | 27.09.2024 |
| Published: | 27.09.2024 |
| Fine: | 91,000,000 EUR |
| Parties: | Meta Platforms Ireland Limited |
| National Case Number/Name: | Meta Ireland |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | ao |
The DPA fined Meta €91,000,000 for a personal data breach involving the storage of Meta users’ passwords in plaintext without cryptographic protection or encryption.
English Summary
Facts
This decision is the final result of an inquiry launched in April 2019 after Meta Platforms Ireland Limited (MPIL) notified the DPC of the personal data breach. MPIL notified the DPC that it had inadvertently stored passwords of social media users in plaintext on its internal systems without cryptographic protection or encryption.
The DPC press release shows that passwords were not made available to external parties.
The DPC had submitted a draft decision under Article 60 GDPR to the other Concerned Supervisory Authorities across the EU/EEA in June 2024 and no objections were raised by the other authorities.
Holding
The DPC found the following violations:
1. Article 33(1) GDPR, for failure to notify the DPC the data breach concerning storage of user passwords in plaintext. 2. Article 33(5) GDPR, for failure to document personal data breaches concerning the storage of user passwords in plaintext. 3. Article 5(1)(f) GDPR, for failure to implement appropriate technical and organisational measures to secure users’ passwords against unauthorized processing. 4. Article 32(1) GDPR, for failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including confidentiality of user passwords.
Highlighting that an unaddressed personal data breach can result in damage such as loss of control over personal data, the DPC reprimanded MPIL pursuant to Article 58(2)(b) GDPR and issued a fine of €91 million pursuant to Article 58(2)(i) and Article 83 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
