Facebook parent Meta’s operations in Ireland have been hit with a $102 million fine and formal reprimand for failing to protect users’ passwords, Ireland’s Data Protection Commission (DPC) announced at the conclusion of a four-year investigation into the social media giant’s handling of sensitive user data.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,“ Graham Doyle, DPC deputy commissioner, said in a statement. ”It must be borne in mind that the passwords subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”
The investigation, launched in April 2019, followed Meta’s notification to the DPC regarding the issue. At the time, Meta reported that passwords belonging to hundreds of millions of its users, including those on Facebook, Facebook Lite, and Instagram, had been stored without cryptographic protection or encryption within the company’s internal data storage systems.“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Pedro Canahuati, Meta’s vice president of engineering, security, and privacy, said in a statement in March 2019. Canahuati said that in response to the discovery, Meta made several changes to improve its security practices.
While Meta maintained that there was no evidence of misuse of the improperly stored passwords, the DPC’s investigation found that the company had violated several key provisions of the European Union’s General Data Protection Regulation (GDPR) in connection to the incident.
The DPC’s final decision—which was made on Sept. 26 by the commissioners for data protection, Des Hogan and Dale Sunderland—identified four areas wherein Meta’s practices were found to have run afoul of various GDPR provisions.
Meta failed, for example, to notify the DPC in a timely manner about the personal data breach involving the storage of passwords in plaintext, nor did the company adequately document the incident. Also, Meta failed to implement appropriate technical and organization measures to protect user passwords from unauthorized access, and it did not ensure a security level appropriate to the risks associated with storing passwords in plaintext.
The Irish regulators said that they would publish the full details of their decision in the coming weeks.
It is unclear whether Meta, which did not respond to a request for comment on the DPC’s decision to issue a reprimand and fine, intends to appeal. However, the company previously indicated it took the password security breach “seriously” and had bolstered its security practices in response.
The DPC’s $102 million fine is the latest in a series of penalties levied against Meta by Irish regulators.
In May 2023, the DPC imposed a record $1.34 billion fine on Meta for unlawfully transferring EU user data to the United States. This was followed by a pair of fines totaling $414 million for GDPR breaches related to Facebook and Instagram.
The GDPR, implemented in 2018, grants EU citizens extensive rights over their data and imposes strict obligations on companies to ensure its protection. The regulation has been described as one of the strongest data-protection frameworks globally, providing regulators with significant enforcement powers, including the ability to impose large fines.
A review of the GDPR’s impact two years after its introduction, carried out by the Regulatory Studies Center at George Washington University in 2020, found that the regulation not only strengthened individual rights but also had the unintended consequence of benefiting Big Tech because smaller companies were unable to bear the costs related to the many requirements of the regulation.
