After investigating, the DPC has concluded that Meta failed to meet the bloc’s legal standard since the passwords were not protected with encryption. It created a risk as third parties could potentially access people’s sensitive information stored in their social media accounts.

The regulator, which leads on oversight of Meta’s GDPR compliance, also found Meta broke the rules by failing to notify it of the breach within the required timeframe (the regulation generally stipulates breach reporting should take place no later than 72 hours after becoming aware of it). Meta also failed to properly document the breach, per the DPC.