How to Sue Facebook for Data Breach

In common terms, a data breach is an event where information is stolen or taken without the knowledge or authorization of a system's owner. In this case, the system owner is Facebook. Most data breaches are the result of hacking or malware invasions. Facebook is a massive target for attack since it has so many users. Once a target has been chosen, attackers look to exploit weaknesses in the system to instigate a breach, whether through exploiting vulnerabilities, injecting code, or session hijacking.

A data breach can also occur through unintended disclosure, where negligence or mistakes cause sensitive data to be exposed. Additionally, data breaches can happen through loss or theft if a portable drive, office computer, files, or laptop is stolen. An intentional data breach can occur if a trusted or authorized party steals private data.

All 50 states in the U.S. have breach notification laws that require notification of state residents if a data breach has occurred. Data breaches can expose sensitive information such as Social Security numbers, financial account numbers, credit card details, online account credentials, birthdates, and other private information that we wouldn't want people with malicious intent to possess.

The most recent known Facebook data breach occurred in 2019. It resulted in the personal data of 533 million Facebook users being posted on an amateur online hacking forum in April of 2021. The data leaked includes full names, locations, phone numbers, email addresses, and other user profile details. Shockingly, Facebook did not think users should be notified because the data was publicly available. Yet, security experts weighed in, suggesting hackers can do great damage with little information and were particularly concerned with leaked phone numbers as these are universal identifiers. Increasingly, we use our phone numbers to receive calls or texts to verify our identity using two-factor identification.

The data breach happened when hackers exploited a now-defunct Facebook tool that allowed its users to easily find people by entering phone numbers into a contact importer. Although the misuse of this tool is against Facebook's terms of service, that didn't stop hackers from scraping profile data. The vulnerability was fixed in September 2019, but the damage was already done. Facebook's attitude towards data scraping for nefarious uses was something akin to being the price of having a social media account.

How to Sue Facebook for Data Breach: the Challenges

It's no easy feat to sue Facebook for a data breach because of the terms of service users are required to accept before using the Facebook app or third-party apps made by developers. Let's face it, rarely do people take the time to read pages and pages of tiny print that go over all the mundane and often legally complicated terms of service before accepting them. 

However, that doesn't mean that Facebook shouldn't be held accountable. In Facebook's privacy policy, they assure user's that they own their own content and information and can control how it's shared. When a data breach happens, whether caused unintentionally, negligently or because of hackers, Facebook should have some responsibility. 

Suppose you have come to any type of harm from a Facebook data breach, whether financial loss or injury to your reputation. In that case, you may be able to sue for damages. Social media channels have a responsibility to have security measures in place to protect your privacy. We are still in the infancy of legislating federal and state privacy laws. Yet, more is being done to expand protections for consumers. When you reach out to one of our data breach attorneys, they will be able to review the terms of service agreements you've accepted and decide if there is a legal path forward. 

June 2020 - Facebook engineers found a problem that allowed third-party developers to access Facebook users' personal data. This data was not something third-party developers should have been able to access. Once the discovery was made, the problem was fixed. However, despite a new policy Facebook implemented to address the Cambridge Analytica scandal of 2018, which only allows developers a 90-day view of customer data after the user engages with the developer's app, thousand of developers could still see the personal information of inactive users if those inactive users were "friends" with an active user.

December 2019 - The private information from 267 million Facebook accounts was discovered on an unprotected database on the dark web by a U.K.-based security researcher. It's believed this data was left exposed for nearly two weeks. The data included names, phone numbers, and Facebook user IDs. Later on, in March of 2020, another cache was found with the data of 42 million more users totaling 309 million.

It's believed the culprits were a criminal group of hackers based in Vietnam. Experts think the hackers either abused the Facebook API or got the data through illegal scraping. In April 2020, the collective data was found for sale again on the dark web.

September 2019 - An unsecured server was found housing the personal information of 419 million Facebook users. Since the server was publicly accessible, anyone could potentially see a user's Facebook ID and phone number. In some instances, the user's gender, country, and user's name were exposed. The server was not a Facebook server and was taken down, yet no one knows who scraped the data.

July 2019 - In 2011, Facebook was investigated by the Federal Trade Commission (FTC) for privacy violations. In response, a settlement was reached. However, in 2019, Facebook was found to have not abided by the 2011 terms of the settlement, so the company was reinvestigated and given a $5 billion penalty. It was the FTC's most significant penalty ever imposed to get Facebook to change its approach to privacy concerns and thwart future violations. 

April 2019 - Without gaining permission, between May 2016 and 2019, Facebook imported all new users' email contacts as part of signing up for an account on the platform. When the new user was in the process of creating an account, they had to input their email address. Facebook then had the new user input their email password as part of a verification measure. The user was not asked if Facebook could import their email contacts, nor did the user have the ability to stop the process. This happened to 1.5 million new platform users. The email contact data was used to improve ad targeting and recommend friends to new users. 

April 2019 - The data of 540 million Facebook users, including account names, Facebook IDs, comments, likes, reactions, and more, was found by an UpGuard security firm researcher on an Amazon cloud public server. The data was accessible to anyone on the Internet. The data, those app developers captured, was improperly stored, and even though UpGuard notified the server hosting company of the situation, no action was taken until Facebook was made aware. Although Facebook had no direct responsibility for storing this data, it has repeatedly broken its promise not to share users' data with outside companies.

March 2019 - It was found that 2,000 Facebook employees had access to 600 million users' passwords. The passwords dating back to 2012 were stored in plaintext files that any employee could access. Later, it was found that millions of Instagram users' passwords were similarly stored. Facebook owns Instagram.

December 2018 - A New York Times article revealed that Facebook once again violated users' privacy and went back on its promise to the FTC that it would not share user data without a user's explicit permission. Facebook defended this breach by stating it had shared the data with parties it considered as an extension of Facebook itself. This excuse held little water since some of these companies included Netflix and Spotify, which are obviously not a part of Facebook. Some of the data received by over 150 companies even had users' private messages. 

September 2018 - Facebook has a feature known as "view as," which allows users to view their profile as someone else would see it. A problem with the code that enabled this action gave hackers a way to steal a user's access token, which they could use to see private information. This issue went unnoticed for a year and impacted 50 to 90 million users. 

May 2018 - A Facebook user has control over who can view their posts and profile. If they share a post and only want a select number of friends or followers to see it, they can generally control it. However, a Facebook bug that was part of a new feature undergoing testing caused a glitch in privacy settings. Consequently, 14 million users' private posts were made public without knowledge or consent. Although the bug was identified quickly, the issue wasn't resolved for nine days.

March 2018 - Cambridge Analytica, a political consulting firm, exploited a loophole in Facebook's API, which allowed it to compile data on not only user's that downloaded their app, but all the user's friends too. Developers are forbidden to market or sell this kind of data, yet that's what Cambridge Analytica did for years with Facebook's knowledge. 

Facebook was silent about this data breach until a former employee of Cambridge Analytica gave two interviews to The Guardian and The New York Times. The intense scrutiny in the media forced Facebook to apologize, and Mark Zuckerberg ended up having to testify before Congress. The FTC fined Facebook $5 billion due to its privacy violations. It's believed the data breach affected 87 million users.

Facebook has a long, sordid history of data breaches from 2005 to the present that has impacted millions of users worldwide. What is made abundantly clear is that your private information is not safe on Facebook. There might be options for how to sue Facebook for a data breach or for a civil invasion of your privacy if confidential information made public caused any loss of reputation, shame, or financial damage, whether business or personal. Contact Morgan and Morgan today for a free case evaluation. You can move on with your life; we’re here to help.