Ireland investigating whether plaintext password storage Facebook violates gdpr

The Irish Data Protection Commission launched an investigation this week into the unprotected storage of its users’ passwords. In Canada, the privacy watchdog is going to court over privacy violations by Facebook.

Facebook has notified the Irish Data Protection Commission about logging and storing in plain text millions of passwords belonging to Facebook and Instagram users. “We launched an investigation this week into this issue to determine whether Facebook has met its obligations with regard to relevant safeguards of the GDPR,” the privacy commission writes. Organizations must provide ‘appropriate’ security for stored personal data on the basis of Article 32 paragraph 1 of those rules.

Last month, Facebook announced that the passwords of hundreds of millions of users of Facebook, Facebook Lite and Instagram had been accidentally stored unencrypted on its internal systems. This allowed thousands of employees to access the passwords. The cause was errors of data logging applications.

In Canada, after investigating the Cambridge Analytica scandal, the Office of the Privacy Commissioner of Canada concludes that Facebook has violated privacy law. The authority mentions that Facebook gave unauthorized access to personal data to third-party apps. There was also no permission from friends of friends to use data. Overall, the social network lacked sufficient oversight and responsibility, the conclusion concluded.

Already in 2009, the Canadian privacy authority advised that Facebook should take measures. Because the social network again ignores the advice and contradicts the results of the investigation, the Privacy Commissioner is going to court. The authority wants to force Facebook to take measures.