Reset your clocks: Meta has been hit with yet another privacy penalty in Europe. On Friday Ireland’s Data Protection Commission (DPC) announced a reprimand and a €91 million fine — around $101.5M at current exchange rates — after concluding a multi-year investigation into a 2019 security breach by Facebook’s parent company.
The DPC opened a statutory inquiry into the incident in question in April 2019 under the bloc’s General Data Protection Regulation (GDPR) after Meta, or Facebook as the company was still called back then, notified it that “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.
The security incident is a legal issue in the European Union because the GDPR requires that personal data is appropriately secured.
After investigating, the DPC has concluded that Meta failed to meet the bloc’s legal standard since the passwords were not protected with encryption but stored in plaintext — creating a risk that people’s sensitive information stored in their social media accounts could be accessed by third parties.
The regulator, which leads on oversight of Meta’s GDPR compliance, also found Meta broke the rules by failing to notify it of the breach within the required timeframe (the regulation generally stipulates breach reporting should take place no later than 72 hours after becoming aware of it). Meta also failed to properly document the breach, per the DPC.
Commenting in a statement, deputy commissioner Graham Doyle wrote: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
Reached for a response to its latest GDPR sanction, Meta spokesman Matthew Pollard emailed a statement in which the company sought to play down the finding by claiming it took “immediate action” over what had been an “error” in its password management processes.
“As part of a security review in 2019, we found that a subset of FB [Facebook] users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta wrote. “We proactively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry.”
Meta had already racked up a majority of the largest GDPR penalties handed out to tech giants so the latest sanction merely underscores the scale of its problems with privacy compliance.
The penalty is notably stiffer than a €17M fine the DPC handed to Meta in March 2022 over a 2018 security breach. The Irish regulator has had a change of senior management since then. However the two incidents are also different: Meta’s earlier security lapses affected up to 30 million Facebook users vs the hundreds of millions whose passwords were said to have been exposed as a result of its failure to secure passwords in 2019.
The GDPR empowers data protection authorities to issue fines for breaches where the amount of any penalties is calculated based on factors such as the nature, gravity and duration of the infringement; the scope or purpose of the processing; and the number of data subjects affected and level of damage suffered, among other considerations.
The highest possible penalty under the GDPR is 4% of global annual turnover. So, in Meta’s case, a €91M fine may sound like a significant chunk of change — but it remains a tiny fraction of the billions the company could theoretically face, given its annual revenue for 2023 was a staggering $134.90B.