TLDR:
- Meta fined €91 million ($101.5 million) by EU privacy regulator
- Fine relates to inadvertently storing user passwords without encryption
- Incident occurred in 2019, affecting potentially millions of accounts
- Irish Data Protection Commission led the investigation
- Meta has faced multiple GDPR fines totaling €2.5 billion to date
Meta, the parent company of Facebook and Instagram, has been hit with a €91 million ($101.5 million) fine by the Irish Data Protection Commission (DPC) for storing user passwords without proper encryption.
The penalty comes after a five-year investigation into a security incident that occurred in 2019.
The issue came to light when Meta notified the Irish DPC that it had inadvertently stored some user passwords in ‘plaintext’ format on its internal systems.
This means the passwords were kept in an easily readable form without the standard security measure of encryption. While Meta publicly acknowledged the incident at the time, the scale of the problem was significant.
According to reports, the incident potentially affected up to 600 million user accounts, with some passwords stored in this vulnerable state since 2012. The passwords were reportedly accessible to over 20,000 Facebook employees, although the DPC clarified that they were not made available to external parties.
Graham Doyle, Deputy Commissioner at the Irish DPC, emphasized the severity of the issue, stating,
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”
He added that the passwords in question were particularly sensitive as they would enable access to users’ social media accounts.
The investigation found that Meta had violated several rules under the EU’s General Data Protection Regulation (GDPR). Specifically, the company failed to notify the DPC of the data breach without undue delay, did not properly document the breach, and did not implement appropriate technical measures to ensure the security of users’ passwords against unauthorized processing.
This fine is part of a series of penalties Meta has faced under GDPR. To date, the company has been fined a total of €2.5 billion for various breaches since the regulation was introduced in 2018. This includes a record €1.2 billion fine in 2023 related to data transfers between the EU and the US, which Meta is currently appealing.
The incident highlights the ongoing challenges tech companies face in managing user data securely. It also underscores the increasing regulatory scrutiny on data protection practices, particularly for large tech firms operating in the European Union.
In addition to the financial penalty, the DPC has issued a reprimand to Meta. The full details of this reprimand and its implications for the company are expected to be released in the commission’s final decision.