EU privacy regulator fines Meta 91 million euros over password storage

Social networking behemoth Meta was fined 91 million euros ($101.5 million) by the top privacy authority in the European Union on Friday for unintentionally storing certain users’ passwords without encryption or security.

The inquiry was opened five years ago after Meta notified Ireland’s Data Protection Commission (DPC) that it had stored some passwords in ‘plaintext’. Meta publicly acknowledged the incident at the time, and the DPC said the passwords were not made available to external parties.

A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019 and that there is no evidence the passwords were abused or accessed improperly.

Meta engaged constructively with the DPC throughout the inquiry, the spokesperson added in a statement on Friday.

The DPC is the lead EU regulator for most of the top U.S. internet firms due to the location of their EU operations in the country.

It has so far fined Meta a total of 2.5 billion euros for breaches under the bloc’s General Data Protection Regulation’s (GDPR), introduced in 2018, including a record 1.2 billion euro fine in 2023 that Meta is appealing.