Facebook failed to warn users of 2018 data breach, lawsuit claims

Court filings say the social network chose to protect employees over its users

finger above Facebook icon

US Facebook users have filed a lawsuit against the social media firm over the handling of a 2018 data breach, one that they say the company was aware of long before it was officially reported, a court filing has revealed.

The documents, seen by Reuters, also suggest that Facebook took steps to protect its employees from the vulnerability but not its users.

In October last year, Facebook revealed that some 30 million access tokens, used to keep accounts logged into Facebook whenever the app is closed down, were stolen after hackers exploited a coding vulnerability on the website.

The lawsuit alleges that the company was aware of the issue for a number of years prior to its October blog post, and that the company decided not to notify users of the flaw.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge," the plaintiffs said in a heavily redacted section of the filing in the U.S. District Court for the Northern District of California in San Francisco.

"Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users."

At the start of the case, Judge William Alsup warned the company that he was willing to allow "bone-crushing discovery to uncover how much user data was stolen", according to Reuters. Since its initial disclosure of the hack, Facebook has put forward very little detail, saying only that a "broad" spectrum of users were affected.

The Irish Data Protection Commission (DPC) confirmed that three million EU users were hit by the attack. Of the 30 million total users affected, 15 million were said to have had their name, listed contact details, phone and email addresses exposed. Another 14 million had potentially sensitive information such as location data and search history leaked.

"As more details are coming to light about this massive security breach, the public and Facebook users are gaining a deeper understanding of exactly how their data was misused - not only be the attackers but also by Facebook," said Robert Ramsden-Board, VP for EMEA at Securonix.

"Facebook should have been much clearer to customers about how their data would be used when deploying the single sign-on tool, however, this clearly did not happen."

Advertisement - Article continues below

The breach happened in the same year as the Cambridge Analytica scandal, and while both initial incidents were major blows to the company's reputation, the manner in which the social network handled them proved to be just as damaging.

Currently, the UK government is questioning whether Facebook's CTO Mike Schroepfer had deliberately misled in his testimony of the Cambridge Analytica scandal, with MPs suggesting "inconsistent evidence" was provided.

IT Pro has approached Facebook for comment.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020