Facebook, Inc. has again exposed the personal information of users, this time in a data breach announced on September 28, 2018. The complaint for this class action claims that the company’s “lax security practices” led to the breach, which exposed information pertaining to some thirty million Facebook users.
The complaint proposes a class and a subclass for this action.
Facebook has over two billion users. When joining, users are required to share information, including name, e-mail address or mobile phone number, date of birth, and gender.
Facebook itself collects information on users, such as, in Facebook’s words, “information about the people, Pages, accounts, hashtags and groups you are connected to and how you interact with them across our Products,” “how you use our Products, such as the types of content you view … the actions you take…” and, if you use a Facebook product for a purchase or financial transaction, “information about the purchase or transaction, including payment information, such as … card information, [and] other account and authentication and information…”
How did the data breach happen? According to the complaint, it was the result of a “software vulnerability that permitted access tokens” to be taken. The tokens allowed users to stay signed in to Facebook, so that they did not have to enter their passwords again.
The complaint says, “The vulnerability existed for over a year, from July 2017 to September 2018.” Also, it may have had some impact on other accounts, because of a function called Facebook Login. This permits users to use their Facebook accounts and credentials to sign into accounts on other sites, such as Netflix, ESPN, and Spotify.
Facebook said that 15 million users had their names and contact information stolen and 14 million others had “additional details taken related to their profiles, such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.” The complaint claims that this information can be as valuable to criminals as financial data.
The company has admitted it has data privacy problems, the complaint says, particularly after the Cambridge Analytica affair, where access to personal data was misused.
The counts cited in the complaint includes breach of contract, negligence, and breach of implied duty to perform with reasonable care, among other things.