[BreachExchange] Thief Stole Payroll Data of 29, 000 Facebook Employees

Destry Winant destry at riskbasedsecurity.com
Tue Dec 17 09:28:00 EST 2019


Some tens of thousands of current and former Facebook employees are
impacted after a thief stole corporate hard drives from an employee’s
car. According to Bloomberg, banking information of 29,000 Facebook
employees in the U.S. was compromised.

The hard drives, which were unencrypted, contained payroll data like
employee names, bank account numbers, social security numbers, salary
details, bonus amounts, and equity details. However, Facebook
clarified that the stolen drives didn’t include Facebook users’ data.

“We worked with law enforcement as they investigated a recent car
break-in and theft of an employee’s bag containing company equipment
with employee payroll information stored on it. We have seen no
evidence of abuse and believe this was a smash and grab crime rather
than an attempt to steal employee information,” Facebook said in a

According to sources, the incident occurred on November 17. Facebook
started notifying the affected employees from December 13 after
realizing the issue on November 20.

The employee who was robbed is a member of Facebook’s payroll
department. Facebook stated that it has taken disciplinary action
against the employee, as it is unethical to carry the company’s
sensitive information outside the office.

Facebook authorities stated that it’s working with law enforcement to
recover the information. The social networking giant also offered
affected employees a two-year subscription to an identity theft
monitoring service.

Data breach woes for Facebook don’t seem to be ending. Facebook and
its subsidiaries like WhatsApp and Instagram faced several security
instances in recent years for exposing personal data of its users.

Recently, Facebook admitted a data breach involving 100 third-party
app developers who had improper data access. In a blog post,
Facebook’s Konstantinos Papamiltiadis, Director of Platform
Partnerships revealed that app developers had access to user data such
as group member names and profile pictures through the Group API.

Prior to April 2018, app developers had unrestricted access to group
members’ information. But with changes made in Group API posts in
April 2018, this has changed. The app developers now only have limited
access to group information such as group name, number of users, and
the content in group posts.

According to Facebook’s new framework designed on the guidelines of
their agreement with the Federal Trade Commission (FTC), Facebook is
required to conduct timely and scheduled audits of all its products
and services for factors such as data breach, privacy adherence, etc.

More information about the BreachExchange mailing list