Meta Fined $101.5 million For Password Security Breach

Meta Fined $101.5 million For Password Security Breach

Reading time: 3 min

  • Kiara Fabbri

    Written by: Kiara Fabbri Multimedia Journalist

  • Justyn Newman

    Fact-Checked by Justyn Newman Lead Cybersecurity Editor

In a Rush? Here are the Quick Facts!

  • Meta was fined €91 million for inadequate password security measures.
  • MPIL stored user passwords in plaintext without encryption or protection.
  • DPC identified multiple GDPR violations in its findings.

The lead European Union’s privacy regulator has fined Meta €91 million ($101.5 million) for inadequate security measures regarding user passwords.

Today, the Irish Data Protection Commission (DPC) announced its final ruling in an inquiry involving Meta Platforms Ireland Limited (MPIL).

The announcement reads that the inquiry began in April 2019 when MPIL reported that it had mistakenly stored certain social media users’ passwords in “plaintext,” meaning they were kept without any encryption or cryptographic protection on its internal systems.

This breach raised significant concerns about user data security and compliance with the General Data Protection Regulation (GDPR).

Deputy Commissioner Graham Doyle emphasized the severity of storing passwords in plaintext, stating on the announcement,

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” he added.

In June 2024, the DPC submitted a draft decision regarding the case to other concerned supervisory authorities across the European Union and European Economic Area.

Since no objections were raised against the draft, the DPC proceeded to finalize its decision. On September 26, the DPC informed MPIL that it would face a reprimand along with a hefty fine of €91 million (approximately $101.5 million) for its negligence.

The DPC identified multiple violations of GDPR in its findings. Specifically, MPIL was cited for failing to notify the DPC about the personal data breach concerning the unencrypted storage of user passwords.

Furthermore, the commission noted that MPIL did not document the breaches. Additionally, the DPC found that MPIL had not implemented appropriate technical or organizational measures to safeguard users’ passwords from unauthorized access.

Finally, the DPC accuses MPIL of failing to implement adequate security measures appropriate for the risks associated with password processing.

According to a Meta spokesperson in an email to Bloomberg, the issue was discovered during a security review in 2019.

The spokesperson wrote, “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”

“We pro actively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” the spokesperson stated.

This latest fine adds to Meta’s growing list of GDPR penalties, which already includes several of the largest fines ever imposed on tech giants, as reported by TechCrunch.

This underscores the company’s ongoing struggles with privacy compliance and raises questions about its ability to effectively protect user data.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Show more...