The Irish Data Protection Commission (DPC) has fined Meta $101.5 million (€91 million) following an investigation into a 2019 security breach where the company inadvertently stored users’ passwords in plain text. Originally, Meta disclosed that some user passwords were stored this way on its servers in January, but later revealed that millions of Instagram passwords were also stored in an easily readable format. While the exact number of affected accounts was not specified, a senior employee suggested up to 600 million passwords were involved, some dating back to 2012 and accessible by over 20,000 Facebook employees. The DPC determined that Meta violated GDPR rules by failing to promptly notify the DPC of the breach, not documenting personal data breaches, and neglecting to use appropriate security measures. DPC’s Deputy Commissioner, Graham Doyle, emphasized the sensitivity of the situation, stating that storing passwords in plaintext poses significant risks. The DPC also issued a reprimand to Meta in addition to the monetary penalty, with more details to come in the commission’s final decision publication.
