Meta, the parent company of Facebook, WhatsApp, and Instagram, has been fined €91 million ($101 million) by the Irish Data Protection Commission (DPC) after it was discovered that the company had stored hundreds of millions of user passwords in plaintext on its internal systems.
Meta initially disclosed the incident in 2019, revealing that an engineering error had led to the unprotected storage of user passwords. At the time, the company assured its users that the passwords were only exposed internally and that there was no evidence of misuse. Meta promised to notify all users affected by the security flaw.
The company explained that a security review had found that a “subset” of Facebook users’ passwords were “temporarily logged in a readable format.” However, a month later, the company acknowledged that “this issue impacted millions of Instagram users.”
Following a five-year investigation, the DPC found Meta in breach of its legal obligations under GDPR. The watchdog concluded that Meta had violated several provisions of the GDPR. More specifically, it failed to report the personal data breach to the DPC in a timely manner, and it didn’t implement appropriate technical safeguards to ensure the protection of users’ passwords.
The watchdog issued a reprimand and the €91 million fine in response to these infractions.
This latest fine is one of many that Meta has faced under GDPR enforcement. Recent penalties include a €405 million fine for Instagram’s mishandling of teen data, a €5.5 million penalty involving privacy issues with WhatsApp, and a record-breaking €1.2 billion fine for Meta’s transatlantic data transfers, in violation of GDPR’s data sovereignty provisions.