Ireland’s Data Protection Commission (DPC) has fined Meta €91 million for storing millions of user passwords in plaintext. The issue prompted a regulatory investigation into Meta’s adherence to the General Data Protection Regulation (GDPR).

Meta found in January 2019 that it had maintained several hundred million account passwords in an unencrypted format, affecting mostly Facebook Light users, a version of the app designed for regions with limited internet access. Tens of millions of other Facebook accounts were also affected, along with Instagram accounts, although to a lesser degree.

Meta made the issue public in March 2019, stating that it had detected the flaw during a routine cybersecurity review. Although there was no evidence that the data was accessed by unauthorized individuals, the discovery prompted immediate notification to the DPC.

Meta Platforms Ireland Limited, the company’s EU headquarters, operates under the jurisdiction of the DPC, which launched a formal investigation in April 2019. The probe found that Meta had breached four GDPR provisions concerning data protection and breach notification. The DPC determined that Meta had failed to implement appropriate technical measures to secure user passwords and had not adequately documented or reported the breach in accordance with GDPR guidelines.

Two of the violated GDPR provisions focused on how companies must respond to personal data breaches. For example, the GDPR requires organizations to notify authorities of a breach within 72 hours, a measure Meta was found to have neglected. Additionally, Meta had not thoroughly documented the breach as required. The other two GDPR provisions stipulated that Meta did not implement sufficient security measures to protect user data.

In a statement, Meta emphasized that the issue was identified and corrected as part of its 2019 security review. This fine follows previous penalties against Meta in Europe, including a €405 million fine in 2022 for failing to protect children’s privacy on Instagram, and a staggering €1.2 billion fine for improper transfer of EU user data to the United States.