On 27 September 2024, the Irish Data Protection Commission (DPC) fined Meta €91 million for inadvertently storing some users' passwords. The company stored passwords in plaintext in its systems without protection or encryption.
An inquiry was launched in April 2019 after Facebook owner Meta notified the DPC that it had stored certain social media users’ passwords on its internal systems in plaintext without encryption. Meta publicly acknowledged the incident at the time. The company took immediate action to fix the issue after identifying it during a security review in 2019. No evidence was found that the passwords were abused or leaked.
In 2019 DPC confirmed the passwords were not leaked to external parties but continued the investigation.
In September 2024, Meta was accused of performing four breaches of the General Data Protection Regulation (GDPR).
DPC deputy commissioner Graham Doyle said: “It is widely accepted that user passwords should not be stored in plaintext considering the risks of abuse that arise from persons accessing such data”. The passwords are particularly sensitive since they would enable access to users’ social media accounts.
As a result of the GDPR breaches, Meta received a requirement to fix an issue and a 91 million euro fine.
Meta’s Previous Fines
It’s not the first time Meta was fined by data protection authorities.
In May 2023, Meta was fined €1.2bn for inadequate transfer of users’ data between Europe and the United States. The fine was also issued by Ireland's DPC. Until now, the fine remains the largest fine imposed under the GDPR. Meta is appealing the fine right now.
In 2022, Meta was fined €265m after data from 533 million people was leaked from Facebook years earlier. At the time, the data was hacked and included much information like names, Facebook IDs, mobile phone numbers, real addresses, birth dates, and email addresses of people from more than 100 countries.
So far Meta was fined 2.5 billion euros in total for the GDPR breaches.
Need to comply with the GDPR? Choose CookieScript Consent Management Platform, and we will take care of your website's GDPR and other privacy laws' compliance issues!
Frequently Asked Questions
Why was Meta fined in September 2024?
On 27 September 2024, Meta was accused of performing four breaches of the GDPR. The Irish Data Protection Commission (DPC) fined Meta €91 million for inadvertently storing some users' passwords in plaintext in its systems without protection or encryption. Choose CookieScript Consent Management Platform (CMP), and we will take care of your website's GDPR and other privacy laws' compliance issues!
Why are the most GDPR-related fines issued by the Irish Data Protection Commission?
The Irish Data Protection Commission (DPC) has issued the most GDPR-related fines because many major U.S. tech companies, like Meta, Google, Apple, and LinkedIn have their European headquarters in Ireland. Under the GDPR, if a company operates in multiple EU countries, the main EU office (typically the headquarters) is responsible for ensuring GDPR compliance across all EU operations. Thus, the Irish DPC becomes responsible for investigating and enforcing GDPR compliance. Use CookieScript CMP to comply with the GDPR.