The European Union’s lead privacy regulator has fined Meta €91 million ($101.5 million) for improperly storing user passwords without adequate encryption.

The fine, imposed by Ireland’s Data Protection Commission (DPC), follows a five-year investigation into Meta’s handling of sensitive data.

The investigation began after Meta acknowledged in 2019 that some users’ passwords had been stored in plaintext, though no external access had occurred. The DPC emphasized the serious risks of storing passwords in an unprotected format.

This penalty adds to Meta’s €2.5 billion in fines under the EU’s General Data Protection Regulation (GDPR) since 2018.