Meta Downplays $102 Million Fine Levied by Data Protection Commission

A password storage violation is costing Meta nearly $102 million. During a 2019 investigation, Ireland’s Data Protection Commission (DPC) found the Facebook owner had stored user passwords that were not encrypted and could be easily accessed by any employee who searched for them. Reportedly, Meta says the exposure was not that big of a deal.

The European Union’s privacy regulator found Meta did not meet the legal standard for password storage, putting millions of users’ privacy at risk. The DPC fined Meta 91 million euros ($101.6 million) for the mishap.

“It is widely accepted that user passwords should not be stored in ‘plaintext’ considering the risks of abuse that arise from persons accessing such data,” said DPC Deputy Commissioner Graham Doyle, per the BBC. “It must be borne in mind, that the passwords the subject of consideration in this case are particularly sensitive, as they would enable access to users’ social media accounts.”

In addition to improperly storing passwords, the DPC claims Meta failed to provide proper notification after it discovered the exposed information. The social media giant is required to report any data breaches within 72 hours, which it did not do, according to the DPC.

Meta Responds to Fine

According to Meta, its own internal review found the passwords were only readable for a short time. The company purportedly acted quickly once the problem was identified, and no one’s privacy had been violated.

“We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta wrote in response, per AP News. “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”

The Meta fine imposed by the DPC is smaller compared to previous punishments the social media company has paid in the past. Last year, Meta was hit with a record $1.3 billion fine. In violation of the European Union’s General Data Protection Regulation (GDPR) law, Meta illegally transferred user data from servers in Europe to American servers.