Meta, the parent company of Facebook, was on Friday fined €91 million (£75 million) by the Irish Data Protection Commission (DPC) following an investigation into the improper storage of user passwords.

The inquiry, which began in April 2019, revealed that Meta had inadvertently stored certain social media users' passwords in plain text on its internal systems without encryption.

The DPC's investigation found that Meta's actions were in violation of the General Data Protection Regulation (GDPR). Deputy Commissioner Graham Doyle emphasized the severity of the breach, stating, "It is widely accepted that user passwords should not be stored in plaintext considering the risks of abuse that arise from persons accessing such data." He further noted that the passwords in question were particularly sensitive as they could enable access to users' social media accounts.

Meta discovered the issue during a routine security review in January 2019 and promptly reported it to the DPC. Despite taking immediate action to rectify the error, the company faced massive scrutiny for failing to implement adequate technical measures to ensure the security of its users' data against unauthorized access.

A spokesperson for Meta commented, "As part of a security review in 2019, we found that a subset of FB users' passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly."

This incident is not the first time Meta has faced fines under GDPR. In May 2023, the company was fined €1.2 billion (£1 billion) for mishandling data transfers between Europe and the United States. Additionally, in 2022, Meta was fined €265 million (£220 million) after data from 533 million people in 106 countries was published on a hacking forum.

The DPC's decision, issued by Commissioners Dr. Des Hogan and Dale Sunderland, included a formal reprimand in addition to the €91 million fine. The regulatory body concluded that Meta had violated several GDPR provisions related to the breach, including failing to document and notify the DPC of the personal data breach and not implementing the required technical measures to secure users' data.

In response to the fine, Meta has stated that it has taken steps to prevent similar incidents in the future and ensure that users' passwords are fully protected.