Irish data regulator looking into Facebook password gaffe

The watchdog has begun an inquiry into the millions of login details the social network left unencrypted

Facebook login page on laptop

Ireland's Data Protection Commission (DCP) has confirmed it's looking into the hundreds of millions of passwords that Facebook stored without encryption.

The social network notified the regulator that user passwords for Facebook, Facebook Lite and Instagram were stored in plain text in the company's internal servers.

This is not the first or only investigation launched by the DPC into Facebook; in December the organisation announced it had started a second inquiry after the social network revealed a bug that exposed 6.8 million users photos.

The latest inquiry is focused on an incident in March, where Facebook notified users in a blog that "some" passwords were stored in a readable format. But much further down, the "some" Facebook referred to was actually "hundreds of millions" across three of its service.

Advertisement - Article continues below
Advertisement - Article continues below

"The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers," the regulator said.

"We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR."

On the surface, it may seem like another problem to add to the list for Facebook, but the timing of the announcement could be crucial. While the company has been dogged by controversy over the last year, due to its questionable data privacy policies and repeated security glitches, to date the only regulatory action has come from the UK's ICO - a 500,000 fine under the Data Protection Act 1998 - which Facebook has appealed.

But regulators around the world are circling. The US Federal Trade Commission is preparing a hefty penalty, based on a data privacy investigation that began in 2011 and most recently, Canada's federal privacy commissioner has said his office will go to court to seek an order to force Facebook to correct its privacy practices.

"The stark contradiction between Facebook's public promises to mend its ways on privacy and its refusal to address the serious problems we've identified - or even acknowledge that it broke the law - is extremely concerning," privacy commissioner Daniel Therrien said in a statement to the BBC.

Facebook's European infrastructure is mainly established in Ireland, where it has datacentres and benefits from the One Stop Shop mechanism provided for in the GDPR. This rule means that organisations carrying out cross-border personal data processing activities will only have to deal with one supervisory authority.

Advertisement - Article continues below

For Facebook, this is the DPC. The Irish data regulator arguably has the biggest data processing organisation to watch over and, given the torrid year Facebook has had, the most problematic too boot.

"Ireland has a strong role to play in ensuring the world of social media complies with GDPR regulations, and since Canada has already found Facebook to seriously contravene it's privacy laws, one would expect the Irish regulator may find it violating GDPR as well," said Anjola Adeniyi, technical leader for EMEA at Securonix.

"The password leak happened post-GDPR and identity theft is a potential risk, so the Irish regulator is also investigating Facebook's use of personal data."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020