The lead European Union privacy regulator for Meta hit the tech giant with a fine worth more than $100 million Thursday for failing to properly store some users’ passwords.
The Irish Data Protection Commission (DPC) said Meta was fined 91 million euros, equal to nearly $106 million, following a years-long investigation.
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption, according to the DPC. The passwords were not available to external parties, the DPC said.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” DPC Deputy Commissioner Graham Doyle said in a statement.
The Irish watchdog handed down the fine as Meta’s lead privacy regulator in the European Union since the tech company’s headquarters is based in Dublin.
Meta, in a statement to The Hill, said a security review found a “subset” of Facebook users’ passwords were “temporarily logged in a readable format.”
The tech giant said it immediately acted to fix the error in 2019 and no evidence suggests the passwords were abused or accessed improperly.
A Meta spokesperson added the company “engaged constructively” with the DCP throughout the probe.
This is just the latest fine to hit Meta, the parent company of Facebook and Instagram. In 2022, the Dublin-based watchdog fined the company the equivalent of about 405 million euros — or $402 million at the time — for violating data protection laws, specifically related to children’s privacy on Instagram.
Last year, the EU slapped Meta with a $1.3 billion privacy fine and ordered the platform to stop transferring users’ information across the Atlantic. Earlier last year, Meta’s chat app, WhatsApp, was ordered to pay 5.5 million euros ($5.9 million) for forcing users to permit their personal data to be used to provide “service improvements and security.”
—Updated at 3:57 p.m.
