Europe fines Meta $106 million for storing user passwords in plaintext
Meta has been fined a number of times for violating the GDPR
by Skye Jacobs · TechSpotServing tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
Facepalm: Running a social media company the size of Meta may be technically complicated, but some mistakes simply should not happen. One example is storing user passwords in plaintext, which Meta claims it inadvertently did in 2019, violating the region's GDPR regulations. The incident adds to a growing list of ways in which Meta has infringed upon this privacy regulation.
Following a lengthy investigation, Meta has been fined €91 million (nearly $106 million) by the Irish Data Protection Commissioner (DPC) for storing certain Facebook user passwords in plaintext on its internal systems – that is, without cryptographic protection or encryption. The DPC also issued a reprimand to the social media giant.
Meta informed the DPC in April 2019 that it had inadvertently stored "hundreds of millions" of passwords improperly. The DPC stated that the passwords were not accessible to external parties.
The Irish watchdog serves as Meta's lead privacy regulator in the European Union, as the company's headquarters are based in Dublin.
The investigation revealed that the parent company of Facebook infringed upon the EU's General Data Protection Regulation (GDPR), which mandates that personal data be appropriately secured. This included failing to notify the DPC of the data breach.
// Related Stories
- NIST standards proposal looks to retire outdated requirements like mandatory password resets
- Dramatic drone footage captures failed Chinese rocket landing
Although Meta did inform the DPC about the password storage issue, the investigation found that this notification was not timely or comprehensive enough to meet GDPR requirements. The GDPR requires companies to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.
The DPC also cited Meta for violating a GDPR requirement to document all personal data breaches, suggesting that even after notifying the DPC, Meta may not have maintained adequate records of the incident as required by law. It also found that Meta did not implement appropriate technical or organizational measures to protect users' passwords against unauthorized processing.
Graham Doyle, deputy commissioner at the DPC, emphasized the seriousness of Meta's misstep. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," he said in a statement.
A Meta spokesperson, Matthew Pollard, emailed a statement to TechCrunch claiming the company took "immediate action" regarding what had been an "error" in its password management processes. "We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry," the statement said.
Meta has accrued not only the largest fine for violating the GDPR since it went into effect, but also the majority of the largest penalties overall, according to a list compiled by TechCrunch.
The largest fine came in May 2023, when it was penalized $1.31 billion by the DPC for violating rules on transferring Facebook users' personal data outside the European Union. Earlier that year, in January, the company was fined $426 million for failing to have a valid legal basis to process user data for ad targeting on Instagram and Facebook. Additionally, in September 2021, it was fined $443 million for failings in its handling of minors' data on Instagram.
Meta has also been found to have infringed upon the GDPR due to technical missteps, such as storing passwords in plaintext. In November 2022, the DPC fined it $290 million when platform features, including contact importer and search tools, made the personal data of hundreds of millions of users discoverable to all other users.