Meta Platforms Inc. (META) has been fined €91 million ($101.5 million) by Ireland’s Data Protection Commission (DPC) for a 2019 security breach. The hefty penalty stems from an investigation initiated in April 2019 after Meta, then known as Facebook, revealed that “hundreds of millions” of user passwords were stored in plaintext on its servers. This means the passwords were stored in a readable format, making them vulnerable to unauthorized access.
The situation worsened when it was discovered that 2,000 engineers at the company accessed these 600 million unencrypted passwords nearly nine million times. This raised serious concerns about data security and raised eyebrows among privacy advocates.
The DPC’s investigation concluded that Meta failed to adhere to GDPR’s (General Data Protection Regulation) security standards. The lack of encryption posed a significant risk of unauthorized access to user accounts, potentially leading to identity theft and other security breaches. Additionally, Meta was found to have violated reporting requirements by not reporting the breach within the mandated 72-hour timeframe and failing to adequately document the incident.
Deputy Commissioner Graham Doyle emphasized the gravity of the situation, highlighting the sensitive nature of exposed passwords and the potential risks of abuse from unauthorized access. This latest fine underscores Meta’s ongoing struggles with privacy compliance, adding to a history of GDPR penalties.
The €91 million penalty surpasses the €17 million fine imposed in March 2022 for a separate 2018 breach, demonstrating the increasing severity of fines for data privacy violations.
This penalty is part of a series of fines that Meta has faced for privacy violations. In March 2022, Meta was fined $18.6 million by the Irish government for mishandling 12 data breaches between June 2018 and December 2018. In January 2023, the Irish watchdog imposed a €390 million fine on Meta for user privacy violations related to its handling of user data for personalized advertising.
More recently, in July 2023, Meta faced the threat of a $100,000 daily fine in Norway if it did not amend its privacy policies. The Norwegian Data Protection Authority imposed a three-month ban on Meta’s behavioral advertising, with potential extensions by the European Data Protection Board.
These repeated fines signal a growing concern among regulators about the protection of user data and highlight the importance of robust privacy practices for tech giants like Meta. As the digital landscape evolves, ensuring data security and privacy remains a top priority for both companies and users.