Meta Fined $101.5 million For Password Security Breach

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In a Rush? Here are the Quick Facts!

• Meta was fined €91 million for inadequate password security measures.
• MPIL stored user passwords in plaintext without encryption or protection.
• DPC identified multiple GDPR violations in its findings.

The lead European Union’s privacy regulator has fined Meta €91 million ($101.5 million) for inadequate security measures regarding user passwords.

Today, the Irish Data Protection Commission (DPC) announced its final ruling in an inquiry involving Meta Platforms Ireland Limited (MPIL).

The announcement reads that the inquiry began in April 2019 when MPIL reported that it had mistakenly stored certain social media users’ passwords in “plaintext,” meaning they were kept without any encryption or cryptographic protection on its internal systems.

Deputy Commissioner Graham Doyle emphasized the severity of storing passwords in plaintext, stating on the announcement,

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.”

“It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts,” he added.

In June 2024, the DPC submitted a draft decision regarding the case to other concerned supervisory authorities across the European Union and European Economic Area.

Since no objections were raised against the draft, the DPC proceeded to finalize its decision. On September 26, the DPC informed MPIL that it would face a reprimand along with a hefty fine of €91 million (approximately $101.5 million) for its negligence.

Furthermore, the commission noted that MPIL did not document the breaches. Additionally, the DPC found that MPIL had not implemented appropriate technical or organizational measures to safeguard users’ passwords from unauthorized access.

Finally, the DPC accuses MPIL of failing to implement adequate security measures appropriate for the risks associated with password processing.

According to a Meta spokesperson in an email to Bloomberg , the issue was discovered during a security review in 2019.

The spokesperson wrote, “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly.”

“We pro actively flagged this issue to our lead regulator, the Irish Data Protection Commission, and have engaged constructively with them throughout this inquiry,” the spokesperson stated.

This underscores the company’s ongoing struggles with privacy compliance and raises questions about its ability to effectively protect user data.

Image by Christian Wiediger, from Unsplash

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In a Rush? Here are the Quick Facts!

• The CMA cleared Amazon’s $4 billion partnership with Anthropic.
• Anthropic will use AWS and Amazon’s custom chips for AI development.
• Anthropic’s UK turnover is below the £70 million threshold for review.

TC suggests this approach, known as a “quasi-merger,” allows Big Tech to influence startups without outright acquisition, raising concerns about long-term control over emerging technologies.

However, the CMA concluded that Anthropic’s UK turnover didn’t meet the £70 million threshold for a more detailed review, and the combined market share of both companies in the region remains below 25%.

As a result, the CMA will not conduct an in-depth investigation, clearing the way for the partnership to proceed without further oversight.