Meta Fined $101.6 Mn By EU Regulator For Password Storage Mishap

The European Union's privacy watchdog has fined Meta USD 101.6 million for failing to protect customer credentials. The fine comes after a probe found that the social media giant kept some users' passwords in plaintext, a severe security flaw that violates EU data protection regulations.

Meta, Facebook's parent corporation, was punished on Friday by Ireland's Data Protection Commission (DPC) after a five-year investigation into the firm's password storage procedures. The investigation began after Meta revealed that the company had accidentally kept certain users' passwords in plaintext, a serious data security flaw. While Meta admitted the issue at the time and assured the public that the passwords had not been disclosed to third parties, the regulatory response has been harsh.

In a statement, Irish DPC Deputy Commissioner Graham Doyle said that keeping passwords in plaintext is widely acknowledged as a serious security concern. "Considering the potential for abuse and the dangers of unauthorised access, it is unacceptable for a company of Meta's scale to mishandle sensitive user data in this manner," Doyle told the media.

Meta responded by stating that the issue was discovered during a 2019 security review and was swiftly resolved. The company also stated that there was no proof of unauthorised access or password usage. "We engaged constructively with the DPC throughout the inquiry and have taken full responsibility for the incident," a spokeswoman for Meta told media.

The DPC, which is the primary privacy regulator for several large US technology companies operating in Europe, has taken extensive action against Meta in recent years. Since the General Data Protection Regulation (GDPR) was implemented in 2018, Meta has received cumulative fines totalling more than USD 2.79 billion for different violations. This includes a record USD 1.34 billion fine in 2023, which the corporation is now contesting.