Ireland’s Data Protection Commission has fined Meta, the owner of Facebook and Instagram, 91 million euros ($102 million) for failing to properly protect users’ passwords.
The fine is linked to a data breach where passwords were stored in a readable format, which made them vulnerable to misuse.
The DPC launched an inquiry in April 2019 after Meta Ireland informed the regulator that it had accidentally stored some users’ passwords in plaintext, meaning they were not properly encrypted. This breach affected 36 million Facebook and Instagram users across the European Economic Area (EU, plus Iceland, Liechtenstein, and Norway).
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse,” said Graham Doyle, head of communications for the DPC.
The breach occurred in January 2019, but the DPC criticised Meta for waiting until March 2019 to notify them. Meta has since stated that they took immediate action to fix the problem.
In a statement, Meta acknowledged the mistake, saying, “Some Facebook users’ passwords were temporarily stored in a readable format in our internal data systems.” However, they assured that there is no evidence of the passwords being misused or accessed improperly.
“We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” a Meta spokesperson added.
