Ireland Hits Meta with Record €91M Data Privacy Fine

Meta Hit with €91M EU Data Fine

“An inquiry was launched in April 2019 after Meta Ireland informed the regulator that it had inadvertently...”

Meta fined €91M for 2019 password security breach affecting 36M EU users, criticizing delayed notification to regulators.

Ireland's Data Protection Commission (DPC) has slapped Meta with a hefty fine of €91 million (approximately $102 million) for serious password security breaches. The issue came to light in 2019 when Meta revealed that it had stored hundreds of millions of user passwords in plaintext.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise...”

“An inquiry was launched in April 2019 after Meta Ireland informed the regulator that it had inadvertently stored certain passwords of social media users in a readable format on its internal system, the DPC said in a statement.

Graham Doyle, the regulator's head of communications, said, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

A January 2019 security breach exposed the passwords of 36 million Facebook and Instagram users in the European Economic Area, comprising the EU, Iceland, Liechtenstein, and Norway. Unfortunately, Meta didn't notify the Data Protection Commission until two months later, in March 2019, sparking criticism from regulators. 

This breach was particularly concerning since the passwords were stored in plaintext, without proper encryption, making them easily accessible to hundreds of thousands of Meta employees.