Meta, the parent company of Facebook, Instagram and WhatsApp, was fined 91 million euros ($102 million) by an Irish regulatory body Friday for alleged lack of transparency after a security breach that affected user passwords.
In its decision, the Irish Data Protection Commission (DPC), which acts on behalf of the European Union, alleged that Meta violated the EU General Data Protection Regulation (GDPR). It takes a long time to report a problem.
The DPC launched an investigation in April 2019 after Meta Ireland was informed that “hundreds of user passwords” had been “inadvertently” stored, although these were “not disclosed to external parties”, it said in a statement.
The security breach dates back to January 2019 and affected 36 million Facebook and Instagram users in the European Economic Area, the company’s head of communications Graham Doyle told AFP. The DPC alleged that Meta was not informed until two months later, March 2019.
Meta acknowledged that some user passwords were “temporarily stored in a readable format in internal data systems,” but promised “immediate action to correct the error,” according to a statement sent to AFP.
“There is no evidence that these passwords have been misused or accessed inappropriately,” the company said.
This is not the first time the group has been in the EU’s crosshairs for violating the RGPD, which has been in force since 2018, and has already received more than $1.1 billion in fines for its treatment of its customers’ personal data. Total from 2021 onwards.