An Irish regulator responsible for enforcing European Union data privacy laws announced on Friday that it has fined Meta, the parent company of Facebook, 91 million euros ($102 million) for breaches related to password security.
The Data Protection Commission reprimanded Meta for not implementing adequate security measures to safeguard users’ password data and for delaying the notification of the regulator about the issue.
LEADERSHIP understands that an inquiry was launched in April 2019 after Meta Ireland informed the regulator that it had “inadvertently stored certain passwords of social media users” in a readable format on its internal system.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” the regulator’s head of communications, Graham Doyle said.
Doyle told AFP that the breach, which took place in January 2019, affected 36 million Facebook and Instagram users across the European Economic Area, which comprises the EU plus Iceland, Liechtenstein and Norway.
The regulator criticised Meta for not alerting the DPC of the problem until March 2019.
In a statement to AFP, Meta acknowledged that some Facebook users’ passwords were “temporarily stored in a readable format in our internal data systems”.
“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.
“We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry”, a Meta spokesperson added.