The European Union’s main privacy regulator has fined social media giant Meta €91 million for unintentionally storing some users’ passwords without protection or encryption. This was reported by Komersant ukrainskyi reports with reference to Reuters.
The investigation was launched five years ago, after Meta notified the Irish Data Protection Commission (DPC) that it had stored some passwords in “plain text”. Meta publicly acknowledged the incident at the time, and the DPC stated that the passwords were not accessible to external parties.
“It is widely recognised that user passwords should not be stored in clear text given the risks of abuse that arise when individuals gain access to such data,”
– said Graham Doyle, Deputy Commissioner of the Irish DPC.
Follow us on Telegram: the main news in a nutshell
A Meta spokesperson noted that the company took immediate steps to correct the error after it was discovered during a security review in 2019, and that there is no evidence that the passwords were misused or accessed.
A Meta spokesperson added that the company has cooperated constructively with the DPC throughout the investigation.
The DPC is the main EU regulator for most of the leading US Internet companies due to the location of their European offices in Ireland.
To date, the DPC has fined Meta a total of €2.5 billion for violations of the EU’s General Data Protection Regulation (GDPR), enacted in 2018, including a record €1.2 billion fine in 2023, which Meta is appealing.