Meta, the parent company of Facebook, has been fined €91 million ($101.5 million) by the European Union's lead privacy regulator, Ireland's Data Protection Commission (DPC), for improperly storing user passwords without encryption. This significant penalty comes after Meta acknowledged in 2019 that it had inadvertently stored some users' passwords in 'plaintext', a practice considered highly risky due to the potential for misuse.
The investigation into Meta's password storage practices was initiated five years ago when the company notified the DPC of the issue. According to the Irish regulator, storing passwords in plaintext is widely viewed as an unacceptable security lapse due to the potential for abuse if such data were accessed. Fortunately, Meta confirmed that no external parties accessed the passwords.
Meta responded swiftly upon identifying the error during an internal security review in 2019, taking immediate steps to fix the issue. A company spokesperson emphasized that there was no evidence suggesting any passwords had been misused or accessed improperly. Meta also cooperated fully with the DPC throughout the investigation.
The DPC has levied substantial fines against Meta since the introduction of the General Data Protection Regulation (GDPR) in 2018. In total, Meta has faced €2.5 billion in fines for various breaches, including a record €1.2 billion fine in 2023, which the company is currently appealing.
This latest penalty highlights the ongoing regulatory scrutiny Meta faces in Europe as it seeks to address privacy concerns and comply with stringent data protection laws.
The investigation into Meta's password storage practices was initiated five years ago when the company notified the DPC of the issue. According to the Irish regulator, storing passwords in plaintext is widely viewed as an unacceptable security lapse due to the potential for abuse if such data were accessed. Fortunately, Meta confirmed that no external parties accessed the passwords.
Meta responded swiftly upon identifying the error during an internal security review in 2019, taking immediate steps to fix the issue. A company spokesperson emphasized that there was no evidence suggesting any passwords had been misused or accessed improperly. Meta also cooperated fully with the DPC throughout the investigation.
The DPC has levied substantial fines against Meta since the introduction of the General Data Protection Regulation (GDPR) in 2018. In total, Meta has faced €2.5 billion in fines for various breaches, including a record €1.2 billion fine in 2023, which the company is currently appealing.
This latest penalty highlights the ongoing regulatory scrutiny Meta faces in Europe as it seeks to address privacy concerns and comply with stringent data protection laws.