In a significant blow to Meta, the Irish Data Protection Commission (DPC) has imposed a fine of €91m (£75m) on the Facebook parent company for its improper storage of user passwords.
The investigation, launched in April 2019, revealed that Meta had inadvertently stored certain passwords without encryption on its internal systems. This glaring security oversight led to four breaches of the General Data Protection Regulation (GDPR).
“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data,” stated Graham Doyle, DPC deputy commissioner. “It must be borne in mind that the passwords… are particularly sensitive, as they would enable access to users’ social media accounts.”
This is not Meta’s first run-in with the DPC. In May 2023, the company was fined €1.2bn (£1bn) for mishandling data transferred between Europe and the United States. Additionally, Meta was fined €265m (£220m) in 2022 after data from 533m users was published on a hacking forum.
The latest fine, issued on September 26, includes a reprimand and underscores the need for stricter data protection measures.
Meta’s history of data mishandling has raised concerns about the company’s ability to safeguard user information. As the DPC continues to hold tech giants accountable, the question remains: will Meta learn from its mistakes and prioritize user data security?