Europe fines Meta $106 million for storing user passwords in the clear

Facial palm: Running a social media business the size of Meta can be technically complicated, but some mistakes just shouldn’t happen. One example is storing user passwords in plain text, which Meta claims it did inadvertently in 2019, in violation of the region’s GDPR regulations. The incident adds to a growing list of ways Meta has violated this privacy regulation.

Following a lengthy investigation, Meta was fined €91 million (nearly $106 million) by the Irish Data Protection Commissioner (DPC) for storing certain passwords of Facebook users in the clear on its internal systems, i.e. without cryptographic protection or encryption. The DPC also issued a reprimand to the social media giant.

Meta informed the DPC in April 2019 that it had inadvertently stored “hundreds of millions” of passwords inappropriately. The DPC said the passwords were not accessible to external parties.

The Irish watchdog is Meta’s main privacy regulator in the European Union, with the company’s headquarters based in Dublin.

The investigation found that Facebook’s parent company violated the EU’s General Data Protection Regulation (GDPR), which requires personal data to be appropriately secured. This included failing to notify the DPC of the data breach.

Although Meta informed the DPC of the password storage issue, the investigation found that this notification was not timely or comprehensive enough to meet GDPR requirements. The GDPR requires companies to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.

The DPC also cited Meta for violating a GDPR requirement to document all personal data breaches, suggesting that even after notifying the DPC, Meta may not have kept adequate records of the incident as required by law. It also found that Meta had not implemented appropriate technical or organizational measures to protect users’ passwords against unauthorized processing.

Graham Doyle, deputy commissioner of the DPC, highlighted the seriousness of Meta’s misstep. “It is widely accepted that user passwords should not be stored in plain text, given the risks of abuse that arise from people having access to this data,” he said in a statement.

A Meta spokesperson, Matthew Pollard, emailed a statement to TechCrunch saying the company had taken “immediate action” regarding what had been an “error” in its password management processes. “We have proactively reported this issue to our main regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this investigation,” the statement said.

Meta has racked up not only the highest fine for GDPR violations since it took effect, but also the majority of the heaviest penalties overall, according to a list compiled by TechCrunch.

The largest fine was imposed in May 2023, when it was penalized $1.31 billion by the DPC for violating rules on transferring Facebook users’ personal data outside the European Union . Earlier that year, in January, the company was fined $426 million for not having a valid legal basis to process user data for ad targeting on Instagram and Facebook. Additionally, in September 2021, it was fined $443 million for breaches in its handling of minors’ data on Instagram.

Meta was also found to have violated GDPR due to technical missteps, such as storing passwords in plain text. In November 2022, the DPC fined it $290 million when the platform’s features, including the contacts importer and search tools, made the personal data of hundreds of millions of users accessible to all other users.