Facebook lost a key court ruling last week and now must face a lawsuit tied to a data breach of its platform disclosed in 2018, which impacted nearly 30 million of its users.
The data breach, first disclosed by Facebook in September 2018, directly impacted the access tokens of 30 million accounts. The incident triggered several Facebook users to file class-action complaints in a San Francisco appeals court, alleging that Facebook had not properly secured user data.
Facebook moved to kill the class action complaint in March – but last week U.S. district judge William Alsup quashed Facebook’s appeal in a new ruling, saying that the allegations against Facebook for negligence and for failing to secure user data can proceed.
“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks,” Alsup wrote, according to reports.
Facebook last year admitted that hackers exploited a flaw in its “View As” feature, which lets users see what their profiles look like from other accounts (i.e., to check that their privacy settings are working). While Facebook had originally pegged the number impacted at almost 50 million, after further investigation that number has dwindled down to 30 million.
While Judge Alsup on June 21 ruled that lawsuits surrounding negligence and failing to secure user data could proceed, the court did dismiss several other claims against Facebook, including an allegation that the company committed a breach of contract and that it violated a California consumer data protection law, which enhances privacy rights and consumer data protection for residents of California.
“We’re pleased that the court dismissed several claims and we look forward to continuing our defense of the remaining claims,” a Facebook spokesperson told Threatpost.
The company in its September 2018 disclosure said that bad actors had accessed private data, including potentially users’ names and contact details (phone number or email), gender, language, relationship status, religion and hometown, among other things.
Complaints against the social media platform alleged that the breach stemmed from “lax and non-existent” data policies.
“This case involves the continuing and absolute disregard with which Defendant Facebook, has chosen to treat the PII of account holders who utilize Facebook’s social media platform,” according to the initial complaint. “While this information was supposed to be protected, Facebook, without authorization, exposed that information to third parties through lax and non- existent data safety and security policies and protocols,” according to the initial lawsuit.
The September data breach is different than other Facebook-related data privacy incidents, including allegations that Facebook’s used data to leverage its relationship with other companies, as well as two separate publicly-exposed app datasets exposing hundreds of millions of Facebook records – including account names, personal data, and more.
The social media company also may be facing fines as high as $5 billion after a year-long Federal Trade Commission (FTC) investigation into its data-security practices on the heels of its 2018 Cambridge Analytica incident.