Meta has been fined €91 million (around $106 million) by the Irish Data Protection Commissioner (DPC) for storing user passwords in plaintext, violating the EU’s General Data Protection Regulation (GDPR).
The company informed the DPC in April 2019 about the issue, revealing that “hundreds of millions” of Facebook passwords were improperly stored without cryptographic protection. Despite Meta’s notification, the DPC determined that the disclosure was not timely or detailed enough to meet GDPR standards.
The GDPR mandates that companies report data breaches to the relevant authority within 72 hours of discovery. In this case, Meta’s failure to comply with this rule, along with inadequate documentation of the breach and insufficient security measures, contributed to the significant fine. The DPC also reprimanded Meta for not implementing proper technical safeguards to protect user passwords from unauthorized access.
Meta’s spokesperson, Matthew Pollard, responded by stating the company took “immediate action” to correct the error in its password management processes. He highlighted that Meta proactively informed the DPC and maintained constructive engagement during the investigation.
This latest fine adds to Meta’s growing list of penalties for GDPR violations. Earlier this year, the DPC fined Meta $1.31 billion for transferring Facebook users’ data outside the European Union. In January 2023, the company was fined $426 million for improper data processing on Instagram and Facebook, and in 2021, it was fined $443 million for mishandling minors’ data on Instagram. Additionally, in 2022, Meta was fined $290 million when technical flaws exposed the personal data of millions of users to others on the platform.
