Data Stored on Unencrypted Hard Drives Stolen From Car, Bloomberg Reports
The payroll data of 29,000 current and former Facebook employees was potentially exposed in November when several unencrypted hard disk drives were stolen, Bloomberg reports.
The data included U.S. employees’ names, bank account numbers and the last four digits of some workers’ Social Security numbers, according to an email sent to Facebook employees on Friday, Bloomberg reports. The drives also included some employees’ compensation information, including salary and bonus details, according to the news service’s report.
In the email to employees, Facebook noted that on Nov.17, someone broke into an employee’s car and took the hard disk drives containing the data, Bloomberg reports. It’s not clear why the unnamed employee, who works in Facebook’s payroll department, had the hard disk drives in their car or why those devices weren’t encrypted.
The employee was not authorized to take the hard drives outside of the office, according to Bloomberg, which added that the Facebook has taken “disciplinary action” against the employee.
Bloomberg reports that Facebook became aware of the incident on Nov. 20. The company finished an initial, internal forensic investigation on Nov. 29, which confirmed that the drives contained sensitive employee data. The company is cooperating with law enforcement on their investigation, the news service reports.
A Facebook spokesperson told Information Security Media Group that the company doesn’t believe the person who took the drives was looking for employee data.
“Out of an abundance of caution, we have notified the current and former employees whose information we believe was stored on the equipment – people who were on our U.S. payroll in 2018 – and are offering them free identity theft and credit monitoring services,” the Facebook spokesperson told ISMG. “This theft impacts current and former Facebook employees only, and no Facebook user data was involved.”
Similar incidents have resulted in lawsuits that have been settled.
In April, for instance, Washington State University agreed to pay more than $4.7 million to settle a lawsuit stemming from the theft of a portable hard disk drive from a self-storage unit. The drive contained information on about 1.2 million individuals – much of it unencrypted – that was gathered for an education research project, according to the settlement (see: What Led to a $4.7 Million Breach Lawsuit Settlement?).
Paul Bischoff, a privacy advocate at privacy Comparitech, says: “The Facebook employees whose data was stolen are at risk of identity theft, tax fraud, and targeted phishing attacks. Data theft like this can be difficult to avoid, but operational security practices should be in place to help prevent it.”
Facebook has been repeatedly criticized over the years for how it handles and stores its customers’ personal data.
In July, the U.S. Justice Department and the Federal Trade Commission fined Facebook a record-setting $5 billion for violating users’ privacy related to the Cambridge Analytica scandal. CEO Mark Zuckerberg agreed to implement new privacy safeguards to ensure user data would not be accessed by third parties without a customer’s consent (see: It’s Official: FTC Fines Facebook $5 Billion)
In November, Facebook admitted that it allowed third-party app developers to wrongfully gain access to its customers’ private data (see: Facebook: Developers Wrongfully Accessed User Data – Again).
In a blog post, Facebook noted that the company changed access for about 100 third-party developers after the problem was discovered. The wrongful access included certain APIs, including the social media platform’s groups feature, according to the post.