Facebook Breach Victims Can Sue For 'Reasonable' SecurityBut Judge Rules Plaintiff in 2018 Breach Case Not Eligible for Compensation
Victims of a Facebook data breach can continue a class-action lawsuit to try and force the social network to improve its security practices, a federal judge has ruled.
But U.S. District Court Judge William Alsup, in an order he issued Tuesday, dismissed a plaintiff's attempt to seek damages from Facebook, including covering the cost of identity theft monitoring services for all U.S. victims of the 2018 data breach, which affected nearly 30 million users worldwide.
News of the judge's order was first reported by Reuters. Facebook didn't immediately respond to a request for comment on the judge's Tuesday order.
The Facebook data breach involved attackers abusing its "view as" privacy feature - designed to enable users to see how their account looks to others - to steal remote access tokens for users' accounts. The social network uses such tokens to authenticate users to multiple services in the background and maintain single sign-on (see Facebook Breach: Attackers Exploited Privacy Feature).
"This vulnerability was discovered by hackers, and the way they exploited it is not just finding this vulnerability and using it to get an access token, but then every time they have an access token pivoting from that to other accounts, other friends of that user to get further access tokens," Guy Rosen, Facebook's vice president of product management, said at a press briefing on Sept. 28, 2018. That's when Facebook first publicly disclosed the breach, saying it had first discovered the security incident three days prior (see Facebook Breach: Single Sign-On of Doom).
Facebook initially estimated that 50 million user accounts had been exposed, but later revised the figure to 29 million, of which more than 4 million accounts were U.S.-based.
Extensive Personal Details Stolen
The court case has brought further details of the breach to light. Notably, Facebook says that hackers gained access tokens for 300,000 accounts, which they used to run two separate batches of search queries.
"The first yielded the names and telephone numbers and/or email addresses of 15 million users worldwide (2.7 million in the United States). The second yielded more sensitive information on 14 million users worldwide (1.2 million in the United States)," according to court documents.
"The information taken from this second group included names, telephone numbers, email addresses, gender, date of birth, and, to the extent the fields were populated, workplace, education, relationship status, religious views, hometown, self-reported current city, and website," according to court documents. "Within this second group, the hackers also obtained the user’s locale and language, the type of device used by the user to access Facebook, the last 10 places the user was 'tagged' in or 'checked into' on Facebook, the people or pages on Facebook followed by the user, and the user’s 15 most recent searches using the Facebook search bar."
Facebook told the court that the original 300,000 users whose accounts had been hacked had the same information stolen as the second group.
Consolidated: Multiple Class-Action Lawsuits
In the wake of the breach, multiple individuals launched lawsuits against Facebook, seeking class-action status. But due to case consolidation and default judgments, only one plaintiff remains: Stephen Adkins, a Michigan resident whose data was exposed in the breach.
The social network had argued in court that the case brought by Adkins should be dismissed.
Adkins had already established that he and other breach victims had suffered an actual or threatened injury, under what's known as Article III standing, "because of a substantial risk of identity theft and also because he has lost time due to the breach," Judge Alsup wrote in his order (see Why So Many Data Breach Lawsuits Fail).
The judge also noted that for all breach victims, their "identity remains at peril, theft-wise."
But he dismissed an attempt to force Facebook to compensate breach victims for "lost time" due to the breach, and to set aside cash to pay for all U.S. breach victims' subscriptions to identity theft monitoring services. In part, that was because the plaintiff wasn't seeking to recover such costs, since he had not purchased such monitoring himself after the breach.
"If some members of the class bought credit monitoring because of this data breach, perhaps they can assert such a claim," the judge wrote.
Plaintiff Seeks 'Reasonable Security Measures'
The judge did rule, however, that the class-action lawsuit can proceed with its attempt to force Facebook to implement "reasonable" security measures.
The case launched by Adkins seeks a declaration that "Facebook’s existing security measures do not comply with its duties of care to provide adequate security," according to court documents. It also seeks a court order requiring Facebook to "implement and maintain reasonable security measures, including that Facebook engage third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Facebook’s systems on a periodic basis, and ordering Facebook to promptly correct any problems or issues detected by such third-party security auditors," according to court documents.
"Facebook argues that plaintiff does not have standing … because Facebook has fixed the bug that caused the data breach," the judge wrote. "This order holds that Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision, at least at the Rule 23 stage," which refers to the rules governing how class-action lawsuits may be pursued.
"At this stage, there is a likelihood of future harm to warrant potential relief," the judge wrote.
The judge set a deadline of Dec. 19 for the plaintiff and counsel to "jointly submit a proposal for class notification with a plan to distribute notice, including by first-class mail and via Facebook," to all breach victims.