Meta has been penalised with a fine of €91 million (approximately NZD $159.9 million) following a lengthy investigation by Ireland’s Data Protection Commission (DPC) regarding a security breach that occurred in 2019.
The said breach involved the storage of “hundreds of millions” of Facebook users’ passwords in plaintext on the company’s internal servers, which was reported to the DPC in April 2019.
The inquiry was initiated under the General Data Protection Regulation (GDPR), which mandates that personal data must be adequately protected. The DPC’s investigation revealed that Meta did not encrypt the passwords, thus failing to comply with the legal standards set forth by the GDPR. This oversight posed a risk that unauthorised third parties could potentially access sensitive user information stored on social media accounts.
In addition to the encryption failure, the DPC found that Meta did not notify the commission of the breach within the stipulated 72-hour timeframe required by GDPR regulations. The company also failed to document the breach properly, further compounding its violations.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Deputy Commissioner Graham Doyle.
“It must be borne in mind that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”
In response to this ruling, Meta’s spokesperson Matthew Pollard issued a statement downplaying the findings, asserting that the company took “immediate action” upon discovering an “error” in its password management processes.
“As part of a security review in 2019, we found that a subset of FB [Facebook] users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” said Pollard.
This latest fine adds to Meta’s history of substantial penalties related to privacy compliance under GDPR. Notably, this penalty is significantly higher than a €17 million fine (approximately NZD $29.8 million) imposed by the DPC in March 2022 for a separate incident affecting up to 30 million Facebook users. In contrast, this recent breach involved hundreds of millions of users.
The GDPR allows data protection authorities to impose fines based on various factors, including the severity and duration of the infringement and the number of affected individuals. Although €91 million may seem considerable, it represents only a small fraction of Meta’s potential exposure under GDPR regulations, which can reach up to 4% of global annual turnover.