Meta, the parent company of Facebook, Instagram, and WhatsApp, has been fined €91 million ($96.2 million) by the Irish Data Protection Commission (DPC) for violating the European Union’s General Data Protection Regulation (GDPR).
Exposed Passwords
The penalty stems from a 2019 data breach involving the storage of user passwords in plain text, a significant security failure.
The DPC’s investigation began in April 2019 after Meta reported that it had inadvertently stored some user passwords without encryption.
The breach affected 36 million users across the European Economic Area, and Meta failed to promptly notify the regulator of the issue, according to 20Minutes.
The passwords were left exposed in a readable format for several months. The DPC criticized Meta for not taking appropriate security measures and for the delay in addressing the breach, as it didn’t notify the regulator until March 2019, two months after the incident was discovered.
Acnowledged Mistake
Meta has since acknowledged the mistake, stating that it "immediately took steps to correct the error" and maintained that no passwords were accessed by third parties or misused.
Despite these reassurances, the DPC emphasized that storing passwords in an unencrypted format represents a clear failure to uphold industry-standard security practices.
This is not the first time Meta has faced fines for data violations in the European Union. The company was fined €225 million ($238 million) in 2021 for WhatsApp data transparency issues and €405 million ($429 million) in 2022 for mismanaging minors’ personal data.
Despite the string of penalties, Meta's profits continue to rise. In the second quarter of 2023, Meta’s net income jumped 73% to $13.5 billion, with revenues reaching $39 billion.