DUBLIN (Reuters) – Facebook’s lead regulator in the European Union, Ireland’s Data Protection Commissioner, on Thursday said it had launched an inquiry into whether the company violated EU data rules by saving user passwords in plain text format on internal servers.
The probe is the latest to be launched out of Dublin into the social network giant. The Irish regulator in February said it had seven statutory inquiries into Facebook and three more into Facebook-owned Instagram and WhatsApp.
Facebook in March announced that it has resolved a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees.
The passwords were accessible to as many as 20,000 Facebook employees and dated back as early as 2012, cyber security blog KrebsOnSecurity, which first reported the issue, said in its report.
“The Data Protection Commission (DPC) was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the DPC said in a statement.
“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR,” it added.
The DPC said in February that it expected to conclude the first of its investigations into Facebook’s use of personal data this summer and the remainder by the end of the year.
Ireland hosts the European headquarters of a number of U.S. technology firms. Under the EU’s General Data Protection Regulation’s (GDPR) “One Stop Shop”, the Irish commissioner is also the lead regulator for Twitter, LinkedIn Apple and Microsoft.
As part of regulations introduced last year, a firm found to have broken data processing and handling rules can be fined up to 4 percent of their global revenue of the prior financial year, or 20 million euros (£17 million), whichever is higher.
Canada’s federal privacy commissioner on Thursday announced the results of a probe that found Facebook had committed serious contraventions of privacy law and failed to take responsibility for protecting the personal information of citizens.
(Reporting by Conor Humphries, editing by Padraic Halpin and Alexandra Hudson)