Facebook payroll data stolen

Facebook payroll data stolen

Facebook has a poor record when it comes to data protection, and that trend continues. It’s usually user data that has been at risk, but this time it’s their employees’ data as payroll data is stolen.

The details were stolen last month when a thief stole unencrypted hard drives from a Facebook payroll staffer’s car. According to Bloomberg:

The hard drives, which were unencrypted, included payroll data like employee names, bank account numbers and the last four digits of employees’ social security numbers, according to an email Facebook shared with staff Friday morning. The drives also included compensation information, including salaries, bonus amounts, and some equity details.

In total, the drives contained personal data for about 29,000 U.S. employees who worked at Facebook in 2018, a spokeswoman confirmed.

The theft occurred on November 17th, but it was some time before employees were notified. It wasn’t confirmed that the hard drives contained Facebook payroll information until November 29th and those affected weren’t told until December 13th.

This is far too long a gap, especially given the sensitive nature of the information. Facebook have, however, started taking steps to limit the damage. Bloomberg’s report states:

The employee who was robbed is a member of Facebook’s payroll department, and wasn’t supposed to have taken the hard drives outside the office. “We have taken appropriate disciplinary action,” the spokeswoman said. “We won’t be discussing individual personnel details.”

Facebook is still working with law enforcement to recover the information, though none of the hard drives have been found. In an email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service.

Click here to read the full article from Bloomberg.

This breach should be a stark reminder that basic mistakes can lead to serious data breaches. Simple lapses from staff members can have the direst consequences.

Facebook itself made several mistakes here. The member of staff should have been made more aware of their responsibilities, and further steps should have been taken to protect the data, such as encrypting the hard drives.

The company’s response should also have been much swifter, identifying exactly what data had been stolen and notifying those affected sooner.

If you’re concerned about these kind of lapses, make sure your staff are aware of their responsibilities with staff training from Activa Consulting, or get our expert advice on data protection with our consultancy services.

Private messages for sale from 81,000 hacked Facebook accounts

Private messages for sale from 81,000 hacked Facebook accounts

News has broken that 81,000 hacked Facebook accounts have had their private messages stolen. The hackers are now attempting to sell this data on, at the price of 10 cents (8p) per account, and are also claiming that they have obtained details from even more accounts – 120 million – although this has not been verified.

hacked facebook accounts hackerFacebook has already faced huge problems regarding data protection. It was fined £500,000 earlier this year for its role in the Cambridge Analytica scandal, and it now looks like it will be facing further penalties from the Information Commissioner’s Office (ICO). Regardless of the scale of this latest breach, things are looking bad for the social media giant.

Whatever happens next, a new fine will tell us something useful. The Cambridge Analytica scandal took place before GDPR came into effect in May, so the fine against Facebook was brought according to the pre-existing data laws. Specifically, it came under the Data Protection Act 1998. A new fine relating to this latest breach, however, will fall under GDPR.

It’s important to note that Facebook have not been able to hide behind being a US company. And as it turns out, they may have been fortunate that the Cambridge Analytica scandal was exposed before May 25th; it’s impossible to say what the fine would have been under GDPR, but it may well have been considerably greater than £500,000.

No matter what, though, the single biggest issue here is the ongoing risk to users. Facebook is a built around people’s personal data, but has so far been unable to provide adequate protection for that data. If the trend continues, there could be even more trouble ahead for the company.

You can find out more about this latest data breach of hacked Facebook accounts here.

And if you want to ensure that your company is GDPR compliant, make us of our GDPR Gap Analysis to make sure that you avoid heavy fines.