The European Union’s primary privacy authority has imposed a hefty fine of €91 million (approximately $101.5 million) on Meta Platforms Inc., stemming from a significant security oversight involving user passwords.
This penalty is the result of a thorough five-year investigation by Ireland’s Data Protection Commission (DPC), which found that the social media giant had stored user passwords in an unsecured, unencrypted format, commonly referred to as “plaintext.”
The issue came to light when Meta disclosed the security flaw in 2019, acknowledging that although the passwords were exposed, there had been no unauthorized access by external entities.
The Irish DPC corroborated this finding but underscored the serious implications of storing sensitive information in such a vulnerable manner.
Graham Doyle, Deputy Commissioner of the DPC, emphasized, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”
A Growing Financial Burden for Meta
This latest fine adds to Meta’s already substantial list of penalties under the EU’s General Data Protection Regulation (GDPR).
Since the regulation was enacted in 2018, the company has accrued fines totaling €2.5 billion for various compliance failures. Notably, a €1.2 billion penalty was issued in 2023, which Meta is currently contesting in appeals.
The ruling reflects ongoing scrutiny of tech companies’ data protection practices, particularly in an era where user privacy and security are paramount concerns.
As the DPC continues to enforce strict regulations, companies like Meta face increasing pressure to enhance their data management protocols to prevent future violations.