EU Privacy Regulator Imposes €91 Million Fine on Meta for Password Storage Violations, According to Reuters

DUBLIN (Reuters) – The lead European Union privacy regulator levied a fine of 91 million euros ($101.5 million) against social media giant Meta on Friday for the unintentional storage of some users’ passwords without proper protection or encryption.

The investigation began five years ago after Meta informed Ireland’s Data Protection Commission (DPC) that it had kept some passwords in plaintext format. Meta acknowledged the issue publicly at that time, and the DPC confirmed that the passwords were not accessible to external entities.

“Its widely recognized that user passwords should not be stored in plaintext, given the risks associated with unauthorized access to such data,” stated Graham Doyle, Deputy Commissioner of the Irish DPC.

A spokesperson for Meta mentioned that the company took prompt action to rectify the situation once it was discovered during a security review in 2019. They further asserted that there is no evidence indicating the passwords were misused or improperly accessed.

The spokesperson added that Meta cooperated fully with the DPC during the investigation.

The DPC serves as the principal EU regulator for many leading U.S. internet companies due to the presence of their EU operations in Ireland.

To date, the DPC has imposed a total of 2.5 billion euros in fines against Meta for violations of the General Data Protection Regulation (GDPR), which was enacted in 2018. This includes a record fine of 1.2 billion euros in 2023, a decision that Meta is currently appealing.