The Irish Data Protection Commission (DPC) has fined Meta €91 million ($147 million) following revelations in 2019 that the company stored around 600 million Facebook and Instagram passwords in plaintext. The DPC found that Meta had violated multiple articles of the EU’s General Data Protection Regulation (GDPR) in connection with this breach.
The DPC launched its investigation five years ago after Meta reported that some user passwords had been stored without encryption. The inquiry uncovered that Meta had breached four articles of the GDPR, citing its failure to promptly notify authorities about the breach, document incidents related to the plaintext storage, and implement sufficient technical safeguards to protect user confidentiality.
Meta acknowledged that the issue affected a portion of Facebook users’ passwords but stated there was no evidence suggesting the exposed data was accessed or misused internally. Despite this, a senior employee revealed that around 2,000 engineers or developers conducted about nine million internal queries that included plaintext user passwords, some of which dated back to 2012.
A month after disclosing the Facebook breach, Meta admitted that millions of Instagram passwords had also been stored in a similar fashion. The company assured it would notify the affected users and take corrective measures.
Graham Doyle, the deputy commissioner at the DPC, emphasized the sensitivity of the breach, stating, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from unauthorized access to such data.” Doyle noted that access to these passwords could have granted entry into users’ social media accounts, highlighting the potential risks.
This isn’t the first time Meta has faced significant fines under the GDPR. In 2023, the company was handed a record €1.2 billion fine and ordered to stop transferring EU user data to the United States. Meta’s global affairs president, Nick Clegg, expressed disappointment at the fines, stating the company was “singled out” for using legal mechanisms similar to other firms in Europe.
To date, the DPC has imposed €2.5 billion in fines on Meta for GDPR violations since the regulation’s introduction in 2018, marking one of the largest regulatory challenges the company has faced in Europe. Meta is currently appealing the €1.2 billion fine from 2023.
