top of page

Meta fined €91 million as EU cracks down on GDPR breaches

14/10/2024

The Irish Data Protection Commission (DPC) has fined Meta €91 million following a security lapse in which the company "inadvertently" stored user passwords without cryptographic protection or encryption.


The penalty is part of a broader crackdown by the EU for non-compliance with the General Data Protection Regulation (GDPR).


The investigation uncovered that Meta violated four articles of the EU’s GDPR. The inquiry was first opened five years ago after Meta notified the DPC that it had stored some passwords in plaintext.


The DPC, responsible for ensuring Meta complies with GDPR across Europe, criticised Meta for failing to promptly notify them of the breach, document incidents related to the plaintext storage of passwords and implement adequate technical measures to protect user confidentiality.


The DPC investigation started in April 2019 after Meta's Ireland entity notified the authorities in charge of regulating Facebook and Instagram parent in the EU. The DPC submitted its draft decision to other EU and EEA authorities in June and received no objections.


Graham Doyle, Deputy Commissioner at the DPC, said: "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”


Some of the exposed passwords date back to 2012, with a senior employee revealing that around 2,000 engineers or developers conducted approximately nine million internal queries for data containing plaintext user passwords.


A month later, Meta acknowledged that millions of Instagram passwords were also stored in a similar manner and announced plans to notify affected users.


Last year Facebook owner Meta was hit with a record €1.2bn fine by the Irish data watchdog and was instructed to stop transferring EU users’ data to US.


Meta claims it has reinforced its internal security processes as part of its commitment to improve data protection.


The DPC has imposed fines totalling €2.5 billion on Meta for violations of the EU’s General Data Protection Regulation (GDPR), which was introduced in 2018. This includes a record €1.2 billion fine in 2023, which Meta is currently appealing.


W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more.


For more information, please contact:


Eastern Europe

Vida.Jarasiunaite@wdenis.eu


Southern Europe

Christos.Hadjisotiris@wdenis.com


Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com

bottom of page