Facebook parent company, Meta fined €91m over password storage

Facebook’s parent company, Meta, has been fined €91m by the Irish Data Protection Commission (DPC) following an investigation into the storage of passwords. 
 

An inquiry was launched in April 2019 after Meta notified the DPC that it had inadvertently stored certain passwords of social media users on its internal systems without encryption. 
 

The DPC submitted a draft decision to other European data watchdogs in June 2024. 

No objections were raised by the other authorities. 

 

Meta has been found to have four breaches of the General Data Protection Regulation (GDPR). 

 

DPC deputy commissioner Graham Doyle said: “It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data. 

“It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts,” he added. 

The decision, which was made by the commissioners for data protection, Dr Des Hogan and Dale Sunderland, and notified to Meta on 26 September, includes a reprimand and a fine. 

In May 2023, Meta was fined €1.2bn for mishandling data when transferring it between Europe and the United States. 

That fine was also issued by Ireland’s DPC; the largest fine imposed under the EU’s GDPR privacy law. 
 

In 2022, Meta was fined €265m after data from 533m people in 106 countries was published on a hacking forum having been “scraped” from Facebook years earlier.