The Irish Data Protection Commission (DPC) recently announced its final decision to fine Meta Platforms Ireland Limited (MPIL) €91 million for accidentally storing a large volume of passwords of social media users in ‘plaintext’ (i.e. in a readable format) on its internal systems. MPIL has also been issued with a reprimand. 

For the last 30+ years, industry best practice has been to cryptographically “hash” passwords to make them unreadable. Hashing is the process of passing passwords through a one-way cryptographic algorithm that assigns a long string of characters that’s unique for each input of plaintext. The ultimate aim of hashing is to store passwords only in hashed format - this prevents hackers and malicious insiders from being able to use the data without first having to expend large amounts of resources. 

In this context, MPIL’s storage of hundreds of millions of Facebook, Facebook Lite and Instagram user passwords in plaintext was a major security error for obvious reasons. The DPC’s determination that MPIL failed to, inter alia, comply with the GDPR’s principles of integrity and confidentiality and to ensure a level of security appropriate to the risk comes as no surprise. 

The DPC’s decision follows an inquiry launched in April 2019 (Inquiry) after MPIL notified the DPC of the password incident. 

The DPC found that MPIL committed the following GDPR infringements:

  • Article 33(1) GDPR - MPIL failed to notify the DPC of a personal data breach concerning the storage of user passwords in plaintext;
  • Article 33(5) GDPR - MPIL failed to document the personal data breaches concerning the storage of user passwords in plaintext;
  • Article 5(1)(f) GDPR - MPIL failed to process personal data in a manner that ensures appropriate security of users’ passwords, including against unauthorised or unlawful processing; and
  • Article 32(1) GDPR - MPIL failed to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.

At the time of writing, we are still awaiting the publication of the full decision and further related information in due course.

Inquiry

In March 2019, MPIL notified the DPC that it had accidentally stored certain passwords of social media users in ‘plaintext’ on its internal systems. MPIL also published information regarding this incident on its website in March 2019. The passwords were not made available to external parties and there was no evidence of internal misuse. 

The scope of the Inquiry assessed MPIL’s compliance with the GDPR, and in particular, whether it implemented measures to ensure a level of security appropriate to the risks associated with the processing of passwords and complied with its obligations to document and notify the DPC of personal data breaches.

This decision relates to the GDPR principles of integrity and confidentiality. The GDPR requires controllers to implement appropriate security measures when processing personal data, taking into account factors such as the state of the art, the cost of implementation, risks to service users and the nature of the data processing. The DPC emphasised the fact that the passwords in question enable access to social media accounts containing sensitive personal data.

In order to maintain security, controllers must evaluate the risks inherent in their processing and implement measures to mitigate those risks. This decision emphasises the need to take such measures when storing user passwords.

The GDPR also requires controllers to properly document personal data breaches and to notify data protection authorities of breaches that occur without undue delay and where feasible, within 72 hours. The DPC acknowledged that a personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data. Consequently, when a controller becomes aware of a personal data breach, it should notify the supervisory authority without undue delay in the manner prescribed by Article 33(1) GDPR.

This decision serves as a stark reminder that even if an accidental error is discovered and notified to the regulator, there may be a heavy price to pay!