The Irish Data Protection Commission (DPC) has imposed a fine of €91 million ($101.56 million) on Meta in connection with a security breach in March 2019. During this incident, Meta admitted that it had mistakenly stored users’ passwords in plaintext in its systems.
The DPC launched an investigation the following month and concluded that Meta had violated four articles of the General Data Protection Regulation (GDPR) of the European Union. This included Meta’s failure to promptly inform the DPC of the data breach, document personal data breaches related to storing passwords in plaintext, and implement adequate technical measures to safeguard the confidentiality of user passwords.
Initially, Meta disclosed that a subset of users’ Facebook passwords were exposed in plaintext, but claimed there was no evidence of unauthorized access or misuse internally. Subsequently, it was revealed that millions of Instagram passwords were also stored in a similar manner, prompting Meta to notify affected users.
Graham Doyle, deputy commissioner at the DPC, emphasized the sensitivity of storing passwords in plaintext and the risks associated with such practices. Meta acknowledged the error, stating that it took immediate action to rectify the issue and proactively informed the DPC about it.
In response to the fine, Meta mentioned in a statement to the Associated Press that it has addressed the issue and flagged it to the DPC proactively.
