Meta Faces $101 Million Fine for Storing User Passwords in Plain Text

Meta, the parent company of Facebook and Instagram, has been fined €91 million (approximately $101 million) by the Irish Data Protection Commission (DPC) for storing hundreds of millions of user passwords in plain text on its internal systems. This significant penalty comes after a multiyear investigation into a 2019 security breach where Meta, then known as Facebook, failed to properly encrypt user passwords, leaving them vulnerable to potential misuse.

The security lapse, first disclosed by Meta in 2019, resulted from the company's internal data systems inadvertently logging user passwords in a readable format. Meta acknowledged the error then, stating that the passwords had only been accessible internally and that there was no evidence of misuse. Despite this, the DPC concluded that the company's practices violated several of the European Union's General Data Protection Regulation (GDPR) provisions.

GDPR mandates that personal data, including passwords, be adequately protected. Storing passwords without encryption poses significant risks, as unauthorized individuals could gain access to sensitive information. According to the DPC, Meta's failure to implement appropriate technical measures to protect its users' data left social media accounts vulnerable. In addition to the fine, the DPC issued a formal reprimand to Meta, citing its failure to promptly notify the commission of the breach, as required under GDPR.

The DPC's investigation, which began in April 2019, revealed that the security incident had affected hundreds of millions of Facebook and Instagram users. Meta's internal systems have stored these passwords in plain text since 2012. Although the passwords were not exposed to external parties, the fact that they were easily accessible to Facebook employees raised severe concerns about the company's handling of user data.

This latest fine is just one in a series of penalties that Meta has faced from European regulators in recent years. In 2023, Meta was hit with a massive $1.3 billion fine for violating EU data privacy rules, mainly related to data transfer between the EU and the U.S. In 2022, the company faced another $276 million penalty following a data leak that exposed the personal information of more than 533 million users. Additionally, Instagram was fined $402 million that same year for mishandling the personal data of teenagers.

In commenting on the recent decision, Deputy Commissioner Graham Doyle emphasized the sensitivity of user passwords, noting that storing them in plain text creates a significant risk of abuse. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse from persons accessing such data. It must be borne in mind that the passwords the subject of consideration in this case are susceptible, as they would enable access to users' social media accounts," Doyle stated.

Meta, for its part, has sought to downplay the severity of the breach, describing the incident as an "error" in its password management processes. The company claims to have immediately rectified the situation, ensuring the passwords were no longer stored in plain text. Meta also maintains that there was no evidence to suggest that the passwords were abused or improperly accessed. Despite these assurances, the DPC found Meta's actions to violate GDPR, noting that the company failed to notify the commission of the breach within 72 hours.

The GDPR gives data protection authorities the power to impose fines based on several factors, including the nature, gravity, and duration of the infringement and the number of individuals affected. While the €91 million fine may seem substantial, it represents only a tiny fraction of the potential penalties Meta could face under GDPR, which allows for fines of up to 4% of a company's global annual revenue. In Meta's case, its revenue in 2023 reached $134.90 billion, meaning the fine could have been significantly higher.

As Meta continues to face scrutiny from European regulators, this latest fine underscores the company's challenges in complying with strict data protection laws. Despite its efforts to address the issues raised by the DPC, Meta's repeated violations of GDPR have raised questions about its commitment to safeguarding user privacy and ensuring that personal data is adequately protected.