An Irish regulator helping to police European Union data privacy says it has fined Facebook owner, Meta 91 million euros ($102 million) for password-security breaches.
The Data Protection Commission criticised Meta for failing to put in place appropriate security measures to protect users’ password data and for taking too long to alert the regulator over the issue.
An inquiry was launched in April 2019 after Meta Ireland informed the regulator that it had “inadvertently stored certain passwords of social media users” in a readable format on its internal system, the DPC said in a statement.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” said Graham Doyle, the regulator’s head of communications.
Doyle told newsmen that the breach, which took place in January 2019, affected 36 million Facebook and Instagram users across the European Economic Area, which comprises the EU plus Iceland, Liechtenstein and Norway.
The regulator criticised Meta for not alerting the DPC of the problem until March 2019.
In a statement to newsmen, Meta acknowledged that some Facebook users’ passwords were “temporarily stored in a readable format in our internal data systems”.
