Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

Facebook Breach Victims Can Sue For 'Reasonable' Security

But Judge Rules Plaintiff in 2018 Breach Case Not Eligible for Compensation
Facebook Breach Victims Can Sue For 'Reasonable' Security
Facebook CEO Mark Zuckerberg speaks at the Facebook Communities Summit in February 2019 (Photo: Facebook)

Victims of a Facebook data breach can continue a class-action lawsuit to try and force the social network to improve its security practices, a federal judge has ruled.

See Also: Account Takeover Attacks: How to Protect your Reputation and Revenue

But U.S. District Court Judge William Alsup, in an order he issued Tuesday, dismissed a plaintiff's attempt to seek damages from Facebook, including covering the cost of identity theft monitoring services for all U.S. victims of the 2018 data breach, which affected nearly 30 million users worldwide.

U.S. District Court Judge William Alsup's Nov. 26 order in the case of "Adkins v. Facebook"

News of the judge's order was first reported by Reuters. Facebook didn't immediately respond to a request for comment on the judge's Tuesday order.

The Facebook data breach involved attackers abusing its "view as" privacy feature - designed to enable users to see how their account looks to others - to steal remote access tokens for users' accounts. The social network uses such tokens to authenticate users to multiple services in the background and maintain single sign-on (see Facebook Breach: Attackers Exploited Privacy Feature).

"This vulnerability was discovered by hackers, and the way they exploited it is not just finding this vulnerability and using it to get an access token, but then every time they have an access token pivoting from that to other accounts, other friends of that user to get further access tokens," Guy Rosen, Facebook's vice president of product management, said at a press briefing on Sept. 28, 2018. That's when Facebook first publicly disclosed the breach, saying it had first discovered the security incident three days prior (see Facebook Breach: Single Sign-On of Doom).

Facebook initially estimated that 50 million user accounts had been exposed, but later revised the figure to 29 million, of which more than 4 million accounts were U.S.-based.

Extensive Personal Details Stolen

The court case has brought further details of the breach to light. Notably, Facebook says that hackers gained access tokens for 300,000 accounts, which they used to run two separate batches of search queries.

"The first yielded the names and telephone numbers and/or email addresses of 15 million users worldwide (2.7 million in the United States). The second yielded more sensitive information on 14 million users worldwide (1.2 million in the United States)," according to court documents.

"The information taken from this second group included names, telephone numbers, email addresses, gender, date of birth, and, to the extent the fields were populated, workplace, education, relationship status, religious views, hometown, self-reported current city, and website," according to court documents. "Within this second group, the hackers also obtained the user’s locale and language, the type of device used by the user to access Facebook, the last 10 places the user was 'tagged' in or 'checked into' on Facebook, the people or pages on Facebook followed by the user, and the user’s 15 most recent searches using the Facebook search bar."

Facebook told the court that the original 300,000 users whose accounts had been hacked had the same information stolen as the second group.

Consolidated: Multiple Class-Action Lawsuits

In the wake of the breach, multiple individuals launched lawsuits against Facebook, seeking class-action status. But due to case consolidation and default judgments, only one plaintiff remains: Stephen Adkins, a Michigan resident whose data was exposed in the breach.

The social network had argued in court that the case brought by Adkins should be dismissed.

U.S. District Court Judge William Alsup

Adkins had already established that he and other breach victims had suffered an actual or threatened injury, under what's known as Article III standing, "because of a substantial risk of identity theft and also because he has lost time due to the breach," Judge Alsup wrote in his order (see Why So Many Data Breach Lawsuits Fail).

The judge also noted that for all breach victims, their "identity remains at peril, theft-wise."

But he dismissed an attempt to force Facebook to compensate breach victims for "lost time" due to the breach, and to set aside cash to pay for all U.S. breach victims' subscriptions to identity theft monitoring services. In part, that was because the plaintiff wasn't seeking to recover such costs, since he had not purchased such monitoring himself after the breach.

"If some members of the class bought credit monitoring because of this data breach, perhaps they can assert such a claim," the judge wrote.

Plaintiff Seeks 'Reasonable Security Measures'

The judge did rule, however, that the class-action lawsuit can proceed with its attempt to force Facebook to implement "reasonable" security measures.

The case launched by Adkins seeks a declaration that "Facebook’s existing security measures do not comply with its duties of care to provide adequate security," according to court documents. It also seeks a court order requiring Facebook to "implement and maintain reasonable security measures, including that Facebook engage third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Facebook’s systems on a periodic basis, and ordering Facebook to promptly correct any problems or issues detected by such third-party security auditors," according to court documents.

"Facebook argues that plaintiff does not have standing … because Facebook has fixed the bug that caused the data breach," the judge wrote. "This order holds that Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision, at least at the Rule 23 stage," which refers to the rules governing how class-action lawsuits may be pursued.

"At this stage, there is a likelihood of future harm to warrant potential relief," the judge wrote.

The judge set a deadline of Dec. 19 for the plaintiff and counsel to "jointly submit a proposal for class notification with a plan to distribute notice, including by first-class mail and via Facebook," to all breach victims.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.