Meta has been issued a hefty privacy penalty in Europe, with Ireland’s Data Protection Commission announcing a €91 million fine (approximately $101.5 million) on Friday.
This follows a multiyear investigation into a significant security breach that occurred in 2019 involving Facebook’s parent company.
The DPC initiated an inquiry in April 2019 after Meta disclosed that “hundreds of millions” of user passwords had been stored in plaintext on its servers, a serious violation of the General Data Protection Regulation (GDPR), which mandates stringent data security measures.
The investigation revealed that Meta failed to adequately protect these passwords with encryption, raising concerns about the potential for third-party access to users’ sensitive information. Additionally, the DPC found that Meta did not notify the commission of the breach within the required 72-hour timeframe and failed to properly document the incident.
Graham Doyle, the DPC’s deputy commissioner, emphasized the seriousness of the breach, stating, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from accessing such data. The passwords in this case are particularly sensitive, enabling access to users’ social media accounts.”
In response, Meta spokesperson Matthew Pollard downplayed the findings, characterizing the breach as an “error” in password management. He noted that the company took immediate corrective action upon discovering the issue during a 2019 security review and claimed there is no evidence that the exposed passwords were misused. Pollard stated that Meta proactively reported the issue to the DPC and has cooperated throughout the inquiry.
This latest fine adds to Meta’s list of substantial GDPR penalties, highlighting ongoing challenges with privacy compliance. Notably, this sanction is significantly larger than the €17 million fine issued to Meta in March 2022 for a separate breach affecting 30 million users, illustrating the severity of the 2019 incident.
The GDPR allows data protection authorities to impose fines based on various factors, including the nature and gravity of the violation and the number of affected individuals. While the €91 million fine is substantial, it remains a small fraction of Meta’s potential maximum liability, given the company’s annual revenue of $134.9 billion in 2023.
