The Irish Data Protection Commission (DPC) has fined Meta €91 million ($147 million) following a security lapse in when the company admitted to mistakenly storing users’ passwords in plaintext.
Launched by the DPC the investigation uncovered that Meta violated four articles of the EU’s General Data Protection Regulation (GDPR). The inquiry was first opened five years ago after Meta notified the DPC that it had stored some passwords in plaintext.
The DPC criticised Meta for failing to promptly notify them of the breach, document incidents related to the plaintext storage of passwords, and implement adequate technical measures to protect user confidentiality.
While Meta disclosed that this privacy issue affected a subset of Facebook users’ passwords, it stated there was no evidence that the exposed data was accessed or misused internally.
Some of the exposed passwords date back to 2012, with a senior employee revealing that around 2,000 engineers or developers conducted approximately nine million internal queries for data containing plaintext user passwords.
A month later, Meta acknowledged that millions of Instagram passwords were also stored in a similar manner and announced plans to notify affected users.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at the DPC, said in a press statement.
“It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.” said Doyle
Last year Facebook owner Meta was hit with a record €1.2bn fine by the Irish data watchdog and was instructed to stop transferring EU users’ data to US
In a response to the fine, Meta’s global affairs president Nick Clegg said that the company is “disappointed to have been singled out” for using the same legal mechanisms as other companies in Europe.
The DPC is the lead EU regulator for most of the top U.S. internet firms due to the location of their EU operations in the country.
To date, it has imposed fines totaling €2.5 billion on Meta for violations of the EU’s General Data Protection Regulation (GDPR), which was introduced in 2018. This includes a record €1.2 billion fine in 2023, which Meta is currently appealing.
