Irish Data Protection Commissioner to investigate Facebook over password storage

The Irish Data Protection Commissioner (DPC), Facebook’s lead regulator in the European Union, has launched an inquiry into whether the company violated EU data rules by saving user passwords in plain text format on internal servers. 

 

The inquiry is the latest to be launched into the social network giant by the Irish regulator. In February, the DPC said it had seven statutory inquiries into Facebook and three more into Facebook-owned Instagram and WhatsApp. 

 

Facebook in March announced that it had resolved a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees. 

 

The passwords were accessible to as many as 20,000 Facebook employees and dated back as early as 2012, cyber security blog KrebsOnSecurity, which first reported the issue, said in its report. 

 

“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the DPC said in a statement. 

 

“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR [General Data Protection Regulations],” it added. 

 

The DPC said in February that it expected to conclude the first of its investigations into Facebook’s use of personal data this summer and the remainder by the end of the year. 

As part of regulations introduced last year, a firm found to have broken data processing and handling rules can be fined up to 4 percent of their global revenue of the prior financial year, or €20 million, whichever is higher. 

 

US Senate 

The news comes just under a week before Helen Dixon, the Data Protection Commissioner, is due to appear in front of a US senate hearing in Washington DC on consumer perspectives on data privacy. 

 

Learn more 

Under provisions within GDPR, known as the “One Stop Shop”, Ms Dixon’s office is the lead regulator for Facebook, as well as Twitter, LinkedIn, Apple and Microsoft. 

 

Ms Dixon will appear before the Committee on Commerce, Science and Transportation on May 1st, alongside witnesses from the Future of Privacy Forum, the American Civil Liberties Union and non-profit online research body Common Sense Media. 

 

According to a release posted on Wednesday on the Committee’s website, the hearing will “examine consumers’ expectations for data privacy in the digital age and how those expectations may vary based on the type of information collected and processed by businesses”. 

 

Canada’s federal privacy commissioner on Thursday announced the results of a probe that found Facebook had committed serious contraventions of privacy law and failed to take responsibility for protecting the personal information of citizens. 

Ms Dixon’s office has been criticised for not being strict enough on tech companies. This week Brussels-based news website Politico Europe published an in-depth article criticising the DPC’s office and suggesting that Ireland’s multinational-focused industrial policy made the state a poor choice to regulate social media giants who were also employers here. – Reuters