Meta has been hit with a hefty €91 million fine (approximately $101.5 million) by Ireland’s Data Protection Commission (DPC) due to a significant security breach that occurred in 2019. This penalty stems from a multi-year investigation triggered when Meta, previously known as Facebook, reported that “hundreds of millions” of users’ passwords were stored in plaintext on its servers, violating the General Data Protection Regulation (GDPR).
The GDPR mandates that personal data must be adequately secured, and the DPC’s inquiry began in April 2019 following Meta’s notification of the breach. The investigation concluded that Meta failed to encrypt the exposed passwords, creating a substantial risk that third parties could access sensitive user information linked to social media accounts. This lack of encryption is considered a severe oversight, as plaintext storage allows easier access to user credentials.
In addition to the failure to secure passwords, the DPC found that Meta did not report the breach within the stipulated timeframe of 72 hours, as required by GDPR regulations. The company also neglected to properly document the breach. Deputy commissioner Graham Doyle stressed that storing user passwords in plaintext is widely recognized as unacceptable due to the potential for abuse from unauthorized access.
In response to the fine, Meta’s spokesperson, Matthew Pollard, downplayed the incident, referring to it as an “error” in password management. He asserted that the company took “immediate action” to rectify the situation once it was discovered during a security review in 2019. Pollard noted that the passwords were temporarily logged in a readable format and emphasized that there was no evidence of improper access or abuse of the exposed passwords. He also mentioned that Meta had proactively notified the DPC about the issue and cooperated throughout the inquiry.
Despite these statements, the fine is significant, particularly when considering that Meta has already accumulated a majority of the largest GDPR penalties imposed on tech companies. This latest sanction is notably larger than the €17 million fine issued to Meta in March 2022 for a separate breach involving up to 30 million users. The DPC has seen a change in senior management since that incident, which may have influenced the current penalty’s scale. The 2019 breach affected a much larger number of users, emphasizing the severity of the failure.
The GDPR allows data protection authorities to impose fines based on several factors, including the nature and duration of the infringement, the scope of the processing, and the number of affected individuals. Although the €91 million fine may seem substantial, it represents only a fraction of Meta’s potential exposure under GDPR, which could amount to 4% of the company’s global annual revenue. Given that Meta reported revenues of $134.90 billion in 2023, the fine is relatively small in the context of its overall financial picture.
Overall, this incident underscores ongoing challenges for Meta in maintaining compliance with privacy regulations. The hefty penalty highlights the necessity for companies to prioritize the protection of user data and adhere to stringent data security practices, especially given the sensitive nature of information such as passwords. As regulatory scrutiny continues, Meta’s history of privacy issues poses significant reputational and financial risks.
