Ireland’s data protection authority has fined Facebook’s parent company Meta 91 million euros for failing to properly protect user passwords.
The investigation into Meta by Ireland’s data watchdog began five years ago when it was publicly acknowledged by Meta that during routine checks, it was found that some user passwords were stored in unencrypted form in internal systems. This meant that over 20,000 employees of the company at that time had access to these passwords. While the passwords were not provided to other contractors or third parties, the scale of the impact raised concerns.
According to reports at the time, up to 6 million users were affected, accounting for about one-fifth of Facebook’s 2.7 billion users at the time, although the company has never admitted to this figure. This security vulnerability can be traced back to as early as 2012.
Following the investigation, the Irish Data Protection Commission (DPC) concluded that Meta Ireland had violated the EU Data Protection Regulation and on September 27, decided to impose a fine of 91 million euros on the company.
In a statement to the media, a spokesperson for Meta responded that the passwords were only stored in readable format “temporarily” in their internal data systems. “We took immediate action to rectify this mistake, and there is no evidence to suggest that these passwords were misused or improperly accessed.”
The spokesperson also stated that they proactively reported this issue to the Irish data watchdog and had “constructive engagement” with relevant personnel throughout the investigation.
As many global tech giants have their European headquarters in this small Western European country, the supervision of these companies by the EU is the responsibility of the Irish Data Protection Commission.
In the last year of 2023, the Irish Data Protection Commission issued fines totaling up to 1.55 billion euros. The entities fined included Chinese social media giant TikTok, which was fined 345 million euros in September last year for improper protection of the personal data of minors.
Meta alone has received two massive fines, including a hefty 1.2 billion euro fine last May for transferring EU user data to the United States. Meta is currently appealing this case.
Since the implementation of the General Data Protection Regulation (GDPR) by the EU in 2018, both Meta and its subsidiaries, including instant messaging tool WhatsApp, social media app Instagram, and Facebook, have been fined multiple times.