The Data Protection Commissioner has launched a probe into Facebook password storage when an error left hundreds of millions of user passwords exposed in an internal plain text file. The passwords were accessible to as many as 20,000 Facebook employees and some of these passwords dated back as early as 2012.
The social network made the public aware of the breach when they resolved the issue in March. The DPC confirmed it had been notified by Facebook of the incident and has started an inquiry, to determine whether GDPR laws have been breached.
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the authority said in a statement.
“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.”
Facebook’s internal investigation into the matter found no evidence that anyone outside the company got hold of the passwords, or that they were abused by staff.
The GDPR stipulates fines of up to 20 million EUR or 4% of the annual turnover, whichever is higher. Based on Facebook’s turnover of more than $55bn last year, they can be looking at a fine as high as $2.2bn (€1.97bn) if the DPC decides that GDPR laws have been breached. It is also important to note that this is one in the line of many investigations launched by the Irish watchdog into Facebook and it’s subsidiary companies Instagram and WhatsApp.