Facebook (Data Breach)

Overview

Facebook, Inc. (“Facebook”) operates a social networking website that allows people to communicate with their family, friends, coworkers, and acquaintances. Facebook also develops technologies that facilitate the sharing of information, photographs, website links, and videos. Facebook purports to allow its users (“Facebook Users” or “Users”) the ability to share and restrict information based on their own specific criteria. By the end of 2017, Facebook had more than 2.2 billion active Users.

As part of the sign-up process and as a consequence of interacting with their social network, Facebook Users create, maintain, and update profiles containing significant amounts of personal information, including their names, birthdates, hometowns, addresses, locations, interests, relationships, email addresses, photos, and videos, amongst others (“Personal Information”).

Facebook recently revealed that its Users’ Personal Information was subject to a massive data security breach in September 2018, affecting approximately 50 million Users (“September 2018 Data Breach”). Facebook publicly disclosed details of the September 2018 Data Breach for the first time in a statement on September 28, 2018. According to the statement and subsequent press call, Facebook learned of the breach as early as September 16, 2018, but has not yet directly informed or notified Facebook Users that their Personality Identifiable Information (PII) may be compromised as a result of the breach. Rather, Facebook stated that it began “logging users out” on the evening of September 27, 2018, but did not provide Users with any reason for being logged out. The statement further admitted that “attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.” The vulnerability in Facebook’s code was introduced in July 2017, and Facebook is currently unaware of how long hackers have had access since that time.

On October 11, 2018, Frank Azar Car & Truck Accident Lawyers filed a nationwide class action lawsuit, King et al. v. Facebook, Inc., Case No. 3:18-cv-06246 (N.D. Cal 2018), which also included California, Colorado, and New Jersey Sub-Classes, alleging that as a result of Facebook’s failure to maintain adequate security measures and timely security breach notifications, Facebook Users’ personal and private information has been compromised and remains vulnerable.

Further, Facebook Users have suffered an ascertainable loss in that they must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including, without limitation, canceling credit cards associated with their Facebook accounts and changing their passwords to Facebook, Instagram, and other linked accounts. But due to Facebook’s ongoing and incomplete investigation, Facebook Users have no guarantee that the above security measures will in fact adequately protect their personal information. As such, Plaintiffs and other Class Members have an ongoing interest in ensuring that their Personal Information is protected from past and future cybersecurity threats.