The European Union’s lead privacy regulator has fined Meta €91 million ($101.5 million) for inadvertently storing users’ passwords in plaintext without proper protection or encryption. The Irish Data Protection Commission (DPC) launched an investigation five years ago after Meta reported the breach.
Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties.
The DPC emphasised the risks associated with storing passwords in plaintext, calling it a significant security lapse.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” stated Irish DPC Deputy Commissioner Graham Doyle.
A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly. Meta engaged constructively with the DPC throughout the inquiry, the spokesperson added in a statement on Friday.
The DPC has fined Meta a total of €2.5 billion for General Data Protection Regulation’s (GDPR) violations since the regulation came into effect in 2018. This includes a record €1.2 billion fine in 2023, which Meta is currently appealing. The DPC oversees the compliance of major U.S. tech firms with EU data protection laws, as their EU headquarters are located in Ireland.
Melissa Enoch
Follow us on:
