Usually when we hear the words “Facebook” and “data leak,” it’s about user data being mishandled or exposed. But the latest data theft for the company is a little closer to home, as hard disks containing payroll information for thousands of employees have been stolen during a smash-and-grab car robbery.
Facebook may have taken steps in the last few years to tighten their data control policies, but it seems their best intentions have been foiled by an employee mistake and a spot of bad luck. On Friday morning, Facebook employees received an email from management confirming that unencrypted hard drives containing personal and payroll information had been stolen from a staff member’s car.
According to Bloomberg, the disks contained the data of almost 29,000 people who worked at Facebook during 2018, and included information such as salaries, bonus payments, bank account details and partial social security numbers.
For once, no Facebook user data was compromised.
The company doesn’t believe that staff information was specifically targeted. Instead they believe it was just bad luck that the disks happened to be in the car that was broken into. A spokesperson for Facebook said, “we worked with law enforcement as they investigated a recent car break-in and theft of an employee’s bag containing company equipment with employee payroll information stored on it, we have seen no evidence of abuse and believe this was a smash and grab crime rather than an attempt to steal employee information.”
Unsurprisingly, the unfortunate employee whose car was robbed was not meant to have taken the hard disks out the office. Facebook have confirmed that they have taken “appropriate disciplinary action” though they declined to say what ‘appropriate’ meant exactly.
Perhaps just as worrying for fellow staff members, however, is the timeline of events and Facebook’s sluggishness in communicating with people. The break-in allegedly happened on November 17, and Facebook confirmed a few days later that the disks in question had been taken, but employees were not notified until December 13. That’s almost a month during which the perpetrator could make use of the data.
The email to staff reportedly encouraged employees to inform their banks, and offered affected people a two-year subscription to an identity theft detection scheme.