Facebook's bid to quash data breach lawsuit dismissed by judge

Updated: Whether the social media giant likes it or not, the court case is going ahead.
Written by Charlie Osborne, Contributing Writer

Facebook has failed in its attempt to prevent a lawsuit over a data breach impacting close to 30 million users from going to trial.  

As reported by Bloomberg, on June 21, a federal appeals court in San Francisco rejected the social media giant's request to dismiss the court case out of hand.

The judge presiding over the appeal, US District Judge William Alsup, permitted the case to go forward, in which claimants allege Facebook has proven itself negligent when it comes to handling and securing user data. 

The data breach in question was disclosed in September 2018. A vulnerability in Facebook's code permitted attackers to steal access tokens when users switched to the "View As" feature. 

As access tokens can be abused to pilfer account data, the security incident was a severe one.

See also: Over 540 million Facebook records found on exposed AWS servers

Facebook originally estimated that up to 50 million users were impacted, although this figure was later revised to roughly 30 million. 

The company resolved the security flaw and temporarily removed the "View As" feature, which permits users to see how their profile looks to the public, to investigate the code issues. "View As" is slowly being restored, however for some this feature is still unavailable. 

Facebook has argued that as the victim of a cyberattack, the company should not be held legally liable, and as it does not appear that the threat actors snagged any truly sensitive information -- such as financial data or passwords -- no real harm was done, as reported by the publication. 

Claimants in the case said in a court filing that Facebook has attempted to avoid all liability and "abdicate all accountability."

The tech giant's arguments were dismissed by Alsup, who, while citing a separate case, said that not holding Facebook to account would be tantamount to "turning a blind eye" to firms that profit from user data and fail in their duties to uphold reasonable security standards. 

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

The Cambridge Analytica scandal, revealed in 2015, was the first major privacy scandal to strike Facebook -- but seems to only have heralded what was to come. In this incident, up to 87 million Facebook users had their data shared for the purposes of voter profiling without their consent. 

The attorney general for Washington DC is taking Facebook to court over the scandal and court documents allege the company knew of the data scraping months before anything was made public. 

CNET: Gov. Newsom: California is ready to regulate tech

Within the last year, Facebook has also revealed the storage of millions of Facebook, Facebook Lite and Instagram user passwords in plaintext, the harvest of millions of email contacts without permission, and has been criticized for a research project which paid teenagers for extensive access to their private information. 

Update 17.44 BST: A Facebook spokesperson told ZDNet:

"We're pleased that the court dismissed several claims and we look forward to continuing our defense of the remaining claims."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards