Meta hit with €91 million fine for lax password safety

US tech giant Meta has been hit with a €91m fine by the Irish data protection authority for failing to protect users' passwords, the privacy watchdog announced today (27 September).

The investigation was launched in April 2019, after Meta notified the Irish authority that it had inadvertently stored certain passwords of social media users in ‘plaintext’ - meaning without encryption - on its internal systems. 

The EU’s General Data Protection Regulation (GDPR), requires companies to implement appropriate security measures when processing personal data.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” Deputy Commissioner at the Irish DPC, Graham Doyle, said in a statement.

The Irish regulator submitted a draft decision to the other EU national supervisory authorities in June 2024, as required under the EU’s data protection rules. No objections to the height of the penalty were raised.

It’s not the first GDPR fine for Meta. In 2023, the company was hit with a record €1.2 billion fine by the Irish regulator for "continuing to transfer personal data" of users from the European Economic Area to the US after the EU’s highest court invalidated an EU-to-US data transfer agreement due to surveillance concerns.

In 2022, Meta was fined €265m after data of more than 533 million users was found dumped online. 

Reference: Euro News:  Story by Cynthia Kroet