The personal and financial data of thousands of Facebook workers was exposed after somebody allegedly stole corporate hard drives from an employee’s car.
The unencrypted drives contained workers’ payroll information including the names, bank account numbers and the last four digits of social security numbers belonging to approximately 29,000 workers, according to Bloomberg. The compromised data also contained salary information, bonus amounts and equity details.
The worker’s car was broken into on 17 November, and the firm realised the hard drives had been stolen three days later. Facebook told its affected employees on 13 December that their financial and personal details may have been compromised following a forensic investigation in late November.
The hard drives stored information of US-based employees who worked at the social media company in 2018, although did not contain any users’ personal or financial data. The firm said it would offer the affected employees free identity theft and credit monitoring services.
“We are working with law enforcement as they investigate a recent car break-in and theft of an employee’s bag containing company equipment with employee payroll information stored on it,” a spokesperson told IT Pro.
“We have seen no evidence of abuse and believe this was a smash and grab crime rather than an attempt to steal employee information.”
“We have taken appropriate disciplinary action,” the spokesperson added in a statement to Bloomberg, commenting on the payroll employee who extracted the hard drives from the site against company protocol. “We won’t be discussing individual personnel details.”
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in software
The company has gained notoriety for leaking the personal data of its users on several prominent occasions. The personal data of 30 million users, for example, was announced to have leaked in October 2018 due to a vulnerability in Facebook’s code that existed between July 2017 and September 2018.
The Irish Data Protection Commission (DPC) is also investigating the firm for more than ten separate General Data Protection Regulation (GDPR) violations, albeit not all related to the exposure of user data.
