On May 6, 2021, the Court granted final approval of an injunctive relief settlement in this data breach class action against Facebook, which requires Facebook to adopt, implement, and/or maintain a detailed set of security commitments for the next five years, which will be independently assessed by a third-party. 

On February 14, 2019, the Honorable William Alsup of the United States District Court for the Northern District of California appointed Cohen Milstein Co-Interim Class Counsel in this putative nationwide data breach class action against Facebook for its failure to protect its customers from a breach of personal data. 

Case Background

On October 29, 2018, Cohen Milstein and co-counsel filed a putative nationwide class action against Facebook for breach of personal data. The case was named: Angeles Meneses v. Facebook, Case No. 3:18-cv-6583, U.S. District Court, Northern District of California, San Francisco Division.

On September 28, 2018, Facebook announced that the personal information of approximately 30 million users may have been compromised in a breach of Facebook’s computer network. According to Facebook, names and contact information for 15 million users were stolen, while another 14 million users had additional profile details taken, such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.

Facebook began to notify those impacted on or about October 12, 2018.

According to Facebook, the data breach was the result of a software vulnerability that permitted access tokens—which enables Facebook users to stay logged into Facebook without reentering their password—to be taken. The vulnerability existed for over a year, from July 2017 to September 2018.

The breach may also have impacted Facebook Login, which permits users to use their Facebook accounts and credentials to sign into accounts with third parties such as Netflix, ESPN, and Spotify.

Facebook, which had previously agreed to a 2011 Federal Trade Commission Consent Order to better protect user privacy and prevent third parties from misappropriating personal information, has admitted that it has had privacy and security issues in ads, in interviews, and before the U.S. Congress.

Facebook was on notice of its privacy issues following, inter alia, a recent scandal involving user data and political firm Cambridge Analytica. However, unlike the Cambridge Analytica scandal—in which a third-party company erroneously accessed user data—this vulnerability allowed attackers to directly take over user accounts.

Data privacy experts and research have shown that this type of personal information has great value to criminals, researchers, advertisers, and political campaigns and may be more important than the loss of a Social Security Number or credit card information.

Consumer Reports (October 12, 2018) interviewed Justin Brookman, director of privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports, who said of the Facebook data breach, “Most data breaches involve financial information, but your Facebook account can be misused in a number of ways that are harmful. Accessing your private communications and posts by itself is pretty invasive, but that information could also be used to crack account security questions or to scam you and your friends.”

The case name is: Stephen Adkins, et al. v. Facebook, Inc., Case No. 5:18-cv-05982 WHA, U.S. District Court, Northern District of California, San Francisco Division. The original case filed by Cohen Milstein was named: Angeles Meneses v. Facebook, Case No. 3:18-cv-6583, U.S. District Court, Northern District of California, San Francisco Division.