SAN FRANCISCO (CN) — A federal judge has tentatively approved a settlement over a 2018 data breach that will require Facebook to submit to independent audits of its data security measures for the next five years.
The deal would resolve a class action over hackers’ infiltration of millions of Facebook accounts, accomplished by exploiting an access token vulnerability in a “View As” feature for user profiles. Facebook initially said the breach affected 50 million users but later downgraded the estimate to 29 million users, including 4 million in the United States.
“This proposal provides the primary injunctive goal of this suit: elimination of the vulnerability and Facebook’s commitment to security measures to protect not just class members but all Facebook users’ personal information,” U.S. District Judge William Alsup wrote in a 6-page order preliminarily approving the settlement Sunday.
The deal reached in February would require Facebook to adopt a series of data security enhancements, including increased suspicious activity monitoring. The company must also submit to annual data security audits by a third-party monitor for the next five years.
On March 5, Alsup demanded more details on the proposed deal, accusing lawyers for Facebook and a class of 4 million social network members of using “smoke and mirrors” to obscure what if anything in the agreement was new compared to the company’s existing legal obligations.
Following that demand, Facebook’s data security director testified in a March 26 declaration that seven of nine commitments in the settlement were put in place after the 2018 hack but not legally required. They include increasing the frequency of integrity checks during a user’s active session; introducing new tools to more quickly detect suspicious patterns and contain security incidents involving access tokens; implementing automatic suspicious activity alerts; limiting applications’ reliance on access tokens; eliminating “No Confidence authentication proofs” and requiring cryptographic proofs of valid logins before generating credentials; and expanding the logging of access tokens generated and using metadata to help detect, identify and investigate data compromises.
Many of those security improvements were intended to eliminate the vulnerability that let hackers compromise access tokens through the social network’s “View As” feature.
Mandating annual independent security audits for the next five years is the only component of the settlement that is brand new.
The deal also requires a Facebook security executive to report to the company’s board of directors, a practice Facebook has been following for years but was not legally required to do.
In the 2018 breach, hackers swiped names and contact information — such as phone numbers or email addresses — for 2.7 million U.S. users and infiltrated the profiles of an additional 1.2 million U.S. users, gaining access to usernames, birthdates, workplaces, hometowns, schools attended and other personal information, including places where they recently “checked in” or were “tagged.”
Lead plaintiff Stephen Adkins sued Facebook on Sept. 28, 2018, mere hours after the data breach was made public in a Facebook blog post.
Last year, Alsup ruled that a class of 4 million users could only seek injunctive relief to make Facebook improve its data security methods. He denied their request to seek monetary damages for credit monitoring services because lead plaintiff Adkins never paid for such services. The judge also denied the plaintiffs’ request to seek compensation for the loss of control over private information, finding their personal data not as valuable to users as it is to Facebook.
Objections to the tentatively approved settlement are due by March 8, 2021.
A hearing on final approval of the settlement, which will likely be held by telephone conference because of the pandemic, is scheduled for April 8, 2021.
Facebook declined further comment. It is represented by Elizabeth Deeley of Latham & Watkins in San Francisco.
A.J. De Bartolomeo of Trader Law in San Francisco and Andrew Friedman of Cohen Milstein Sellers & Toll in New York represent the plaintiff class.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.