The European Union's privacy regulator fined Meta, parent company of Facebook, 91 million euros for storing users' passwords in plaintext. It was a bug—sloppy, but not intentional—and they turned themselves in. The fine was for failure to implement "data protection by design and by default."
Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Irish DPC Deputy Commissioner Graham Doyle said in a statement. A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly
Facebook's total GDPR bill is 2.5 billion euros so far. For a company that makes tens of billions a year in profits, it's just another cost of doing business.
Previously:
• Grindr fined $6m for passing user data to commercial partners
• UK MPs recommend laws compelling Google to censor search results
• CCPA: California to enforce new digital privacy law starting today, despite calls for further pandemic delay
• Zuckerberg: Facebook will not stop spying on Americans to comply with EU privacy law
• Facebook expects up to $5 billion FTC fine over privacy