Meta, the parent company of Facebook and Instagram, received a €91 million fine from the Irish Data Protection Commission (DPC) for storing user passwords without encryption. This fine follows a lengthy investigation that exposed how Meta stored millions of passwords in plain text, making them vulnerable to internal misuse.
Security Lapses Discovered in 2019
In 2019, Meta acknowledged that it had stored 600 million user passwords in a readable format. These passwords were not encrypted, and the issue reportedly began as early as 2012. Meta admitted its error and worked to resolve the issue, but the DPC investigation found that the company did not inform regulators quickly enough.
Graham Doyle, Deputy Commissioner of the DPC, emphasized the risk, stating, “User passwords should never be stored in plaintext.” He pointed out that access to these passwords posed significant risks, as they could unlock social media accounts.
Thousands of Employees Had Access
The investigation revealed that over 20,000 Meta employees had access to the unencrypted passwords. Although Meta claimed the passwords were not exposed to outside parties, the DPC concluded that Meta violated several GDPR regulations. These violations included a failure to secure user data and delays in notifying regulators.
Meta’s data protection failures are not new. Since 2018, the company has been fined €2.5 billion for various breaches, including this most recent penalty.
Meta’s Reaction and Future Implications
Meta is likely to appeal the decision, adding to its ongoing legal battles over data privacy. Along with the fine, the DPC also issued a formal reprimand to the company. Though the full details of the reprimand remain undisclosed, this case highlights the growing pressure on tech giants to safeguard user data.
Meta’s repeated failures in securing user information reflect the broader challenges facing large tech companies. As privacy regulations tighten, firms like Meta must implement stronger security measures to avoid further penalties.