Meta Fined $101.5 million For Password Security Breach

The lead European Union’s privacy regulator has fined Meta €91 million ($101.5 million) for inadequate security measures regarding user passwords.

Today, the Irish Data Protection Commission (DPC) announced its final ruling in an inquiry involving Meta Platforms Ireland Limited (MPIL).

The announcement reads that the inquiry began in April 2019 when MPIL reported that it had mistakenly stored certain social media users’ passwords in “plaintext,” meaning they were kept without any encryption or cryptographic protection on its internal systems.

This breach raised significant concerns about user data security and compliance with the General Data Protection Regulation (GDPR).

Deputy Commissioner Graham Doyle emphasized the severity of storing passwords in plaintext, stating on the announcement,

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” he added.

In June 2024, the DPC submitted a draft decision regarding the case to other concerned supervisory authorities across the European Union and European Economic Area.

Since no objections were raised against the draft, the DPC proceeded to finalize its decision. On September 26, the DPC informed MPIL that it would face a reprimand along with a hefty fine of €91 million (approximately $101.5 million) for its negligence.

The DPC identified multiple violations of GDPR in its findings. Specifically, MPIL was cited for failing to notify the DPC about the personal data breach concerning the unencrypted storage of user passwords.

Furthermore, the commission noted that MPIL did not document the breaches. Additionally, the DPC found that MPIL had not implemented appropriate technical or organizational measures to safeguard users’ passwords from unauthorized access.

Finally, the DPC accuses MPIL of failing to implement adequate security measures appropriate for the risks associated with password processing.

According to a Meta spokesperson in an email to Bloomberg, the issue was discovered during a security review in 2019.

The spokesperson wrote, “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”

“We pro actively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” the spokesperson stated.

This latest fine adds to Meta’s growing list of GDPR penalties, which already includes several of the largest fines ever imposed on tech giants, as reported by TechCrunch.

This underscores the company’s ongoing struggles with privacy compliance and raises questions about its ability to effectively protect user data.