Ireland’s privacy regulator has opened an investigation into Facebook over its failure to securely protect millions of its users’ passwords.
The investigation, which will likely take months, follows revelations from the world’s largest social network last month that some of its engineers had stored hundreds of millions of people’s passwords from both Facebook and Instagram, the picture-sharing service owned by the company, on unencrypted internal servers.
The latest regulatory headache for Facebook comes a day after it confirmed to investors that the company had set aside $3 billion for a potential privacy fine linked to an ongoing investigation by the U.S. Federal Trade Commission. An announcement in that separate case is expected within months.
It also marks the 11th investigation into Facebook and its subsidiaries by Ireland’s data protection agency that has been accused of taking a lenient regulatory line with some U.S. tech companies, many of which have moved to Dublin to take advantage of Ireland’s low corporate tax rate.
By opening its latest investigation, the country’s privacy officials will be able to take advantage of Europe’s new data protection rules, known as the General Data Protection Regulation (GDPR). These beefed-up standards include fines of up to 4 percent of a company’s global revenue or €20 million, whichever is higher, in cases of abuse.
It is uncertain whether Facebook will eventually be fined in this latest case. Some of the Irish regulator’s other investigations into the social network are expected to conclude by the summer.
In a statement published last week, Facebook said its users’ passwords had not been visible to anyone outside of the company, and it has found no evidence that its employees had inappropriately used the information.