Meta Platforms, the social media giant, was fined €91 million ($101.5 million) by the European Union’s lead privacy regulator, the Irish Data Protection Commission (DPC), on Friday.
The fine was imposed after Meta Platforms inadvertently stored some users’ passwords without proper encryption. The breach came to light five years ago when Meta Platforms informed the DPC that it had stored certain passwords in “plaintext,” a major security oversight.
Meta Platforms in March 2019 said it found that some user passwords were being stored in a readable format within its internal data storage systems. This includes hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and millions of Instagram users on the digital platform, Pedro Canahuati, VP Engineering, Security and Privacy, said in 2019.
Meta confirmed that no external parties had accessed the unprotected passwords of online users on the digital platform. DPC stressed the risks posed by storing sensitive data in this manner. “User passwords should not be stored in plaintext due to the risk of abuse,” said Irish DPC Deputy Commissioner Graham Doyle.
Meta responded by stating that it immediately corrected the issue upon discovering it during a security review, and emphasized that there is no evidence of misuse. The company has cooperated with the DPC throughout the investigation.
This latest fine adds to the €2.5 billion total penalties Meta Platforms has faced under the EU’s General Data Protection Regulation (GDPR), including a record €1.2 billion fine in 2023, which the company is currently appealing, Reuters news report said.
Graham Doyle said the GDPR requires data controllers to implement security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing.
