Facebook recently announced that hackers exploited a series of vulnerabilities within the social media company’s systems and accessed data from approximately 50 million user profiles. Later that day, the company found itself facing a class action lawsuit filed in the Northern District of California.
The lawsuit alleges that Facebook violated California laws related to unfair competition and negligence, and concealed its “grossly inadequate” security measures. It also calls for a certification of a class of “all persons who registered for Facebook accounts in the United States and whose PII (personally identifiable information) was accessed, compromised, or stolen from Facebook in the 2018 Data Breach.”
According to Facebook, the problem allowed attackers to use the “View As” feature to steal Facebook access tokens, which in turn allowed them to take over the Facebook accounts of logged-in users. Facebook responded by resetting the access tokens of both the affected accounts and of all accounts that had used “View As” in the previous year, requiring 90 million individuals to log back into their accounts. Facebook also notified law enforcement and turned off the “View As” feature.
A few hours after Facebook announced the problem, the company also confirmed that information on third-party apps with a “login from Facebook” feature may also have been available to hackers. This includes not only information on Facebook-owned apps like Instagram, but also apps like Tinder and Uber, which also allow users to log in with their Facebook accounts.
Facebook described the problem as being the result of the interaction of three different bugs, all of which the company says it is working to address.
Where Does Facebook Stand?
Facebook posted its blog post about the breach on the morning of September 28. By that afternoon, a lawsuit had been filed in the U.S. District Court for the Northern District of California.
The suit’s named plaintiffs are Carla Echavarria of California and Derrick Walker of Virginia. The lawsuit, however, seeks to certify a class of “all persons…whose PII was compromised.”
The complaint argues that Facebook’s failure to protect its users’ data from the breach resulted from negligence, and that Facebook’s response was to attempt to conceal a “lax and inadequate approach to data security.”
This suit is not the first time Facebook has been placed on the defense regarding its security measures. In the wake of the news that Cambridge Analytica, a political data firm, had gained access to the profile data of millions of Facebook users in a manner that could have affected the outcome of the 2016 election, Facebook has found itself named as a defendant in a number of lawsuits.
Most of the cases focus on questions of data security and transparency: What steps Facebook takes to keep user data out of others’ hands and what they tell the public about this process.
“[Facebook] knew its data security measures were grossly inadequate by, at the absolute latest, March 2018 when the Cambridge Analytica matter came to light, exposing Facebook’s lax and inadequate approach to data security,” the complaint alleges, arguing that the events of March 2018 should have put Facebook on notice that its security measures were inadequate and should have prompted the company to correct them before the September 2018 breach occurred.
“In response to all of these facts,” the complaint argues, “[Facebook] chose to do nothing to protect [the users affected by the data breach] or warn them about the security problems and, instead, openly represented to Congress and foreign governments that Facebook was dedicated to the highest and most advanced security practices and protocols.”
The lawsuit is not likely to be the last Facebook faces regarding its data security. The company reported having 2.23 billion monthly active users worldwide as of the second quarter of 2018, making it a treasure trove of information for hackers and other parties seeking to exploit personal data. Coupled with the company’s position at the forefront of relatively new and untested technologies, Facebook could easily face additional attacks on its security in the future – and additional lawsuits scrutinizing its approach to securing that information.