EU hits Meta with $101.5 mln fine over unsecured password storage

The European Union's lead privacy regulator has recently imposed a 91 million euro ($101.5 million) fine on social media giant Meta for inadvertently storing user passwords without proper protection or encryption. The penalty comes after a five-year investigation by Ireland's Data Protection Commission (DPC), following Meta's public acknowledgement that it had stored some users' passwords in "plaintext" form.

Meta first reported the incident in 2019, and at the time, publicly acknowledged that while the passwords were exposed, they had not been accessed by external parties. The Irish DPC confirmed this in its findings but stressed the severity of storing sensitive data in such a vulnerable format.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner of the Irish DPC, in a statement.

The fine adds to Meta's growing list of penalties under the EU's General Data Protection Regulation (GDPR). Since the regulation's introduction in 2018, Meta has been fined a total of 2.5 billion euros for various breaches, including a 1.2 billion euro fine in 2023, which the company is currently appealing.