EU hits Meta with €91 million fine for password security breach
Deputy Commissioner Graham Doyle underscored that storing passwords without encryption is widely unacceptable due to potential abuse.
Meta, Facebook’s owner, has been fined €91 million ($101.5 million) by the EU’s privacy regulator for mishandling user passwords. The issue, which surfaced five years ago, involved Meta storing certain users’ passwords in plaintext, a format lacking encryption or security protection. Ireland’s Data Protection Commission (DPC), which oversees GDPR compliance for many US tech firms operating in the EU, launched an investigation after Meta reported the incident.
Meta admitted the error, emphasising that third parties had not accessed the exposed passwords. However, storing passwords in an unprotected format is considered a major security flaw, as it exposes users to significant risks if unauthorised individuals access the data. Deputy Commissioner Graham Doyle underscored that storing passwords without encryption is widely unacceptable due to potential abuse.
This fine adds to Meta’s growing list of penalties under the EU’s General Data Protection Regulation (GDPR). To date, Meta has been fined a total of 2.5 billion euros for various data breaches, including a record €1.2 billion fine in 2023, which Meta is currently appealing. These repeated infractions highlight ongoing concerns about how the company handles sensitive user data.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.