Facebook has a poor record when it comes to data protection, and that trend continues. It’s usually user data that has been at risk, but this time it’s their employees’ data as payroll data is stolen.

The details were stolen last month when a thief stole unencrypted hard drives from a Facebook payroll staffer’s car. According to Bloomberg:

The hard drives, which were unencrypted, included payroll data like employee names, bank account numbers and the last four digits of employees’ social security numbers, according to an email Facebook shared with staff Friday morning. The drives also included compensation information, including salaries, bonus amounts, and some equity details.

In total, the drives contained personal data for about 29,000 U.S. employees who worked at Facebook in 2018, a spokeswoman confirmed.

The theft occurred on November 17th, but it was some time before employees were notified. It wasn’t confirmed that the hard drives contained Facebook payroll information until November 29th and those affected weren’t told until December 13th.

This is far too long a gap, especially given the sensitive nature of the information. Facebook have, however, started taking steps to limit the damage. Bloomberg’s report states:

The employee who was robbed is a member of Facebook’s payroll department, and wasn’t supposed to have taken the hard drives outside the office. “We have taken appropriate disciplinary action,” the spokeswoman said. “We won’t be discussing individual personnel details.”

Facebook is still working with law enforcement to recover the information, though none of the hard drives have been found. In an email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service.

Click here to read the full article from Bloomberg.

This breach should be a stark reminder that basic mistakes can lead to serious data breaches. Simple lapses from staff members can have the direst consequences.

Facebook itself made several mistakes here. The member of staff should have been made more aware of their responsibilities, and further steps should have been taken to protect the data, such as encrypting the hard drives.

The company’s response should also have been much swifter, identifying exactly what data had been stolen and notifying those affected sooner.

If you’re concerned about these kind of lapses, make sure your staff are aware of their responsibilities with staff training from Activa Consulting, or get our expert advice on data protection with our consultancy services.