The European Union’s lead privacy regulator has fined Meta €91 million ($101.5 million) for inadvertently storing users’ passwords in plaintext without proper protection or encryption. The Irish Data Protection Commission (DPC) launched an investigation five years ago after Meta reported the breach.
Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties, emphasizing the risks associated with storing passwords in plaintext and calling it a significant security lapse.
Irish DPC Deputy Commissioner Graham Doyle said, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”
A Meta spokesperson said in a statement on Friday that the company took immediate action to fix the error after identifying it during a security review in 2019 and that there is no evidence the passwords were abused or accessed improperly. And that Meta engaged constructively with the DPC throughout the inquiry”.
The DPC has fined Meta a total of €2.5 billion for General Data Protection Regulation’s (GDPR) violations since the regulation came into effect in 2018.
This includes a record €1.2 billion fine in 2023, which Meta is currently appealing. The DPC oversees the compliance of major U.S. tech firms with EU data protection laws, as their EU headquarters are located in Ireland.
