Meta hit with $102 million privacy fine from European Union over 2019 password security lapse

LONDON (AP) — Meta was punished Friday with a fine worth more than $100 million from the social media giant’s European Union privacy regulator over a security lapse involving passwords for Facebook users.

The Irish Data Protection Commission said it slapped the U.S. tech company with the 91 million euro ($101.6 million) penalty following an investigation.

The watchdog started investigating in 2019 after it was notified by Meta that some passwords had been inadvertently stored internally in plain text, which means they weren’t encrypted and it was possible for employees to search for them.

Deputy Commissioner Graham Doyle said it’s “widely accepted” that user passwords should not be stored in plain text, “considering the risks of abuse.”

Meta said a security review found that a “subset” of Facebook users’ passwords were “temporarily logged in a readable format.”

“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” the company said in a statement. “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”

It’s the latest in a series of hefty fines for Meta and its social media platforms from the Dublin-based watchdog, which is the company’s lead regulator under the 27-nation EU’s stringent data privacy rulebook. They include a 405 million euro fine for Instagram over mishandling teen data, a 5.5 million euro penalty involving WhatsApp and a 1.2 billion euro fine for Meta over transatlantic data transfers.