Facebook may be fined over $2bn for leaving hundreds of millions of passwords exposed

Mark Zuckerberg European ParliamentFacebook could be facing a huge fine after last month’s revelation that it had been accidentally storing hundreds of millions of users’ passwords in plain text.

Ireland’s Data Protection Commission (DPC), the regulator which oversees Facebook within the European Union, has launched an inquiry into the Facebook’s failings. Should Facebook be found to have breached Europe’s GDPR privacy laws, it could face a fine in excess of $2bn.

Facebook says that the passwords never became visible to anybody outside of the company and that it hasn’t found any evidence that the passwords had been misused by anybody. But this hasn’t stopped the DPC from looking into the issue.

“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” said Ireland’s Data Protection Commission in a statement. “We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.”

Under GDPR, a company that breaches its laws faces a fine of up to €20m, or four per cent of global annual turnover, whichever is higher. As Facebooks global annual turnover is considerably more than €20m, it could face a fine reaching in excess of $2bn.

The DPC launched a similar “statutory inquiry” into Facebook in December when a bug exposed the private photos of 7m of the social networks users.