Facebook parent Meta’s operations in Ireland have been hit with a $102 million fine and formal reprimand for failing to protect users’ passwords, Ireland’s Data Protection Commission (DPC) announced at the conclusion of a four-year investigation into the social media giant’s handling of sensitive user data.
The DPC said in a Sept. 27 announcement that Meta had failed to implement appropriate security measures for user passwords, resulting in an inadvertent storage of these sensitive details in plaintext—rather than with cryptographic protection—in the company’s internal systems.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,“ Graham Doyle, DPC deputy commissioner, said in a statement. ”It must be borne in mind that the passwords subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”
The investigation, launched in April 2019, followed Meta’s notification to the DPC regarding the issue. At the time, Meta reported that passwords belonging to hundreds of millions of its users, including those on Facebook, Facebook Lite, and Instagram, had been stored without cryptographic protection or encryption within the company’s internal data storage systems.
