Just hours after Facebook revealed that at least 50 million users were “directly affected” by a data breach, two of the social network’s users have come together in a class-action lawsuit.
Facebook on Friday alerted users that a security issue had been discovered on Tuesday, Sept. 25. A vulnerability in the site’s “View As” feature — which lets users see what others do when viewing their profile — gave hackers the means to take over people’s accounts.
It’s a bad situation that subsequently grew worse. Hours after the initial news broke, it became clear that Facebook users who had connected their profile to an Instagram account — and, potentially, any other third-party service — were at risk on those other platforms as well.
Now there’s this lawsuit, which names Carla Echavarria of California and Derrick Walker of Virginia as plaintiffs. The document also notes that the filing is “on behalf of all persons in the United States … whose PII was compromised in the data breach.”
(PII is an acronym for “personally identifiable information,” which the lawsuit defines as “names, birthdates, hometowns, addresses, locations, interests, relationships, email addresses, photos, and videos” — the data users share with Facebook.)
The lawsuit makes the case that Facebook’s inability to protect user data is an act of negligence, and that the company worked to conceal what the filing describes as a “lax and inadequate approach to data security.” The reasoning behind these allegations goes back to the Cambridge Analytica scandal in March.
“[Facebook] knew its data security measures were grossly inadequate by, at the absolute latest, March 2018 when the Cambridge Analytica matter came to light, exposing Facebook’s lax and inadequate approach to data security,” the court document reads.
“At that time, Facebook was on notice that its systems were extremely vulnerable to attack, facts [Facebook] already knew given its previous exposures and security problems.”
In other words, Even if Facebook didn’t recognize its own data security issues until the March 2018 scandal broke, the revelations that surfaced should have prompted greater action.
As the filing states: “In response to all of these facts, [Facebook] chose to do nothing to protect [Echavarria, Walker, and other users] or warn them about the security problems and, instead, openly represented to Congress and foreign governments that Facebook was dedicated to the highest and most advance security practices and protocols.”
The lawsuit also alleges that Facebook violated aspects of California’s Unfair Competition Law and Customer Records Act.