Meta Platforms Ireland Limited (MPIL) has been fined €91 million by Ireland’s Data Protection Commission (DPC) for improperly storing user passwords in plaintext, violating multiple General Data Protection Regulation (GDPR) articles. The penalty stems from a 2019 incident, where Meta discovered that hundreds of millions of user passwords were left unsecured on its internal systems. Despite the severity, Meta claims no evidence suggests any external access or misuse of the data.

In March 2019, Meta notified the DPC after identifying the breach during a routine security review. The investigation revealed that passwords belonging to “hundreds of millions” of Facebook Lite users, tens of millions of Facebook users, and millions of Instagram accounts were stored in plaintext. This method of storing sensitive information exposed the data to potential unauthorized access, lacking encryption or cryptographic protection measures essential for user safety.

The DPC’s investigation found Meta in violation of key GDPR provisions. Under Article 33(1), Meta failed to promptly notify the DPC about the personal data breach, as required by law. Additionally, Article 33(5) revealed the company did not maintain adequate documentation of the incident. The most critical breach involved Article 5(1)(f), which mandates that companies safeguard the integrity and confidentiality of personal data. Meta’s failure to secure the passwords using encryption directly breached this regulation. Further, Meta did not implement appropriate technical and organizational measures for processing data, violating Article 32(1), which outlines essential security protocols for data protection.

Although Meta voluntarily disclosed the issue to Irish regulators and launched an internal investigation, the company’s failure to implement basic security measures led to the significant fine. The penalty highlights the importance of adhering to data protection standards, especially regarding personal user information.

The DPC emphasized that, despite the scale of the breach, no external parties had access to the plaintext passwords, and there was no confirmed misuse. Nonetheless, the incident has reignited conversations about Meta’s overall security practices and compliance with data protection laws across its platforms, including Facebook and Instagram.

As of now, the DPC has issued an official reprimand along with the substantial fine, and further details of the investigation will be released in an upcoming report.

Meta’s handling of the incident serves as a cautionary tale for companies managing vast amounts of user data. As cybersecurity remains at the forefront of public concern, GDPR compliance and strong encryption practices have never been more crucial in protecting sensitive information.