Due to a password leak incident, Meta was fined 91 million euros by Ireland
The Irish Data Protection Commission fined Meta Platforms 91 million euros for a password leak incident. The investigation found that the company had stored user passwords in "plain text" format without encryption. This fine is a supplement to the 1.2 billion euro fine imposed by the European Commission on Meta last year, reflecting the EU's anti-monopoly crackdown on large tech companies. Meta stated that the issue has been fixed and no misuse of passwords has been detected
According to a statement from the regulatory agency obtained by Zhitong Finance APP, after conducting an investigation into the password storage of Meta Platforms (META.US), the Irish Data Protection Commission (DPC) imposed a fine of 91 million euros (approximately 102 million US dollars). The owner of Facebook had previously informed the Data Protection Commission that it inadvertently stored certain social media users' passwords in "plain text" format in its internal systems without encryption protection or measures. The commission began investigating the password leak incident in April 2019.
Last year, the European Commission accused the tech giant of transferring user data to the United States and imposed a fine of up to 1.2 billion euros (approximately 1.3 billion US dollars), making this fine a supplement to the fine imposed by the European Commission last year.
These fine measures are part of the EU's broader anti-monopoly crackdown on large US tech companies, with the Irish regulatory agency playing a key role as the primary privacy regulator for most US tech giants with European headquarters in the EU.
It is understood that DPC's latest decision includes four investigation results of GDPR violations, involving personal data leaks and failure to ensure the proper security of user passwords.
A Facebook spokesperson stated in an email to the media that the company did discover this issue during a security review in 2019. "We took immediate action to fix this mistake, and there is no evidence to suggest that these passwords were misused or improperly accessed. We proactively reported this issue to our primary regulator, the Irish Data Protection Commission, and engaged constructively with them throughout the investigation," the spokesperson said.
"Given the risk of abuse of private passwords by those accessing such data, it is widely believed that user passwords should not be stored in plain text," said Graham Doyle, Deputy Commissioner of DPC in a statement. The statement added on Friday that the commission will announce the full formal decision and further relevant triggers and investigation information at the appropriate time