Meta received a slap on the wrist on Friday to the tune of 91 million euros ($102 million) for breaking Europe's strict privacy rules. The company hadn't put enough protections in place to secure people's social media passwords, and realized it was accidentally storing them in plain text.
The Irish Data Protection Commissioner, which is in charge of ensuring Meta abides by Europe's General Data Protection Regulation, issued the fine following a five year investigation, stretching back to 2019. It was looking at whether Meta had failed to meet its obligations of guaranteeing users appropriate privacy and security, and reporting any problems to DPC.
"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Deputy Commissioner Graham Doyle in a statement. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."
The GDPR, which came into force in 2018, holds companies to high standards when it comes to protecting people's privacy. As part of the rules, companies must be proactive in ensuring that they're transparent about any potential privacy problems they discover. In line with these rules, Meta reported the problem when it made the discovery.
"As part of a security review in 2019, we found that a subset of FB users' passwords were temporarily logged in a readable format within our internal data systems," said a spokesperson for the company on Friday. "We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly."
It's not the first and only time Meta has fallen foul of privacy rules, but the company claimed it's now taken steps to make sure something similar can't happen in the future and users' passwords are fully protected.