Ireland’s privacy regulator today fined Meta Platforms Inc. €91 million over a cybersecurity flaw in its internal systems that came to light five years ago.
The Data Protection Commission, or DPC, also issued the company a reprimand over the matter.
In January 2019, Meta discovered that it had stored several hundred million account passwords in an unencrypted, or plaintext, format. The issue mostly affected users of Facebook Light, a version of the Facebook mobile app for devices with slow connectivity. Tens of millions of other Facebook users were affected as well along with a smaller number of Instagram accounts.
Meta disclosed the issue in March 2019. At the time, the company detailed that its engineers had discovered the plaintext passwords during a routine cybersecurity review. The company found no signs that the data left its internal systems or may have been accessed by an employee without permission.
Shortly after discovering the passwords, Meta notified DPC officials of the incident via its Irish subsidiary. The subsidiary, Meta Platforms Ireland Limited, operates the company’s head office in the European Union. As a result, the DPC is responsible for enforcing Meta’s compliance with the EU’s GDPR privacy law.
The watchdog launched a probe into the plaintext passwords in April 2019. This past June, it determined that the way Meta stored the data breached four GDPR provisions. The decision was only published today because it required the approval of other data protection regulators in the EU.
According to the DPC, two of the four GDPR provisions that Meta failed to implement define how companies must respond to so-called personal data breaches. This is a regulatory term that covers not only cyberattacks but also a range of other risks. For example, cases where an employee misplaces a USB stick containing user information must be reported to privacy regulators even if there’s no sign the device fell into the hands of cybercriminals.
Meta was found to have run afoul of a GDPR provision that requires companies to thoroughly document personal data breaches. Additionally, Meta failed to comply with a section of the law that defines how such incidents must be disclosed to regulators. The GDPR mandates, among other things, that companies notify authorities of a data breach within 72 hours of discovering it.
The two other GDPR provisions that Meta breached specify steps a company must take to protect user data. According to the DPC, the first clause mandates the implementation of “appropriate technical or organisational measures” for securing user passwords. Meta was also found to have breached a related GDPR provision that specifies companies must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Meta said in a statement today that “as part of a security review in 2019, we found that a subset of FB users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”
Today’s DPC decision doesn’t mark the first time that Meta has been fined in Ireland over GDPR compliance issues.
In September 2022, the company received a €405 million penalty after regulators determined that Instagram had failed to protect children’s privacy adequately. A few months later, the DPC fined Meta another €265 million over weak security settings that allowed hackers to download a large quantity of user data.