back to article Valuable personal info leaks from Facebook – not Zuck selling it, unencrypted hard drives of staff data stolen

Facebook has lost a copy of the personal details of 29,000 of its employees after hard drives containing unencrypted payroll information were stolen from an employee's car. The antisocial network said it is in the process of informing those who were exposed, though so far there is no indication of the purloined details being …

  1. whoseyourdaddy

    If there's a guarantee for Silicon Valley residents,

    (Oh, thank you. A gift from the gods, reasons to blow off facebook recruiters.)

    smash-n-grab car thieves fear nothing.

    Last month, a coworker (late model Honda minivan) was out a side window, gym bag, old sneakers and used gym clothes.

    Leaving your car unlocked is actually useless. If your vehicle doesn't have a locking trunk, don't leave it in the car. Period.

    1. Phil Kingston

      Re: If there's a guarantee for Silicon Valley residents,

      Don't leave anything in the car. Period.

      I learned this when owning a J Reg Vauxhall Nova. It seemed to get broken into almost weekly.

      1. phuzz Silver badge
        WTF?

        Re: If there's a guarantee for Silicon Valley residents,

        Last time they broke into my 206 (almost destroying the door lock in the process) they stole the wing mirror.

        Yep, the wing mirror, which ended up costing me £12 to replace.

        Seriously, how much crack can you get for a wonky wing mirror from a almost twenty year old car?

        The petrol in the tank would make much more sense. I pretty much double the value of my car when I fill the tank up.

        1. paulf
          Alien

          Re: If there's a guarantee for Silicon Valley residents,

          I recall being at university about 20 years ago and a story told by a friend of mine. His car was broken into, I think it was a crappy Maestro or Montego. All they pinched was the two front seat headrests and a 5 year old road atlas.

          He suspected some kind of steal to order operation, which is as baffling as your wonky wing mirror black market operation.

    2. TeeCee Gold badge

      Re: If there's a guarantee for Silicon Valley residents,

      Some years ago, a colleague of mine had his car broken into. He had a fancy stereo with a removable faceplate. The plod were already in attendance, the car park had been done.

      He had the faceplate on him in its little box, but they'd smashed a window to get into his glovebox ("most people put them there sir"). Then they'd crowbarred open the boot ("that's where everyone else leaves them sir").

      The cost of fixing the damage to the rear of the car was waaaayyyy more than a new stereo.

  2. Imhotep

    Rank Amateurs

    I don't think you should be allowed to use the phrase "abundance of caution" if you allow an employee to:

    1) Copy that sort of information to an unencrypted hard drive

    2) Remove it from the premises, tote it around and leave it unattended

    Do they not have an IT department? People on staff that enforce security?

    1. chivo243 Silver badge
      Trollface

      Re: Rank Amateurs

      I thought FB was an IT department, just not very secure or ethical or moral for that matter

      1. Pascal Monett Silver badge

        Oh it is very secure - if you are a governmental body trying to find out how it works, you will observe the hardest brick wall you have ever seen.

        The problem here is that the hard drive was not under House Commission scrutiny. If it had been, you couldn't have gotten to it with a tank.

        1. BebopWeBop
          Facepalm

          And on the other side of the pond, a House of Commons (or government) drive would have been thoughtfully left on a train. Unencrypted of course.

          1. Anonymous Coward
            Anonymous Coward

            That's because there's nowhere safer than a railway lost property box. Even if it's there, the workers will never find it.

    2. macjules

      Re: Rank Amateurs

      in this day and age why use a physical drive at all? Looks to me that the employee probably sold the data off and then claimed to have had their car broken into. After all we are talking about a Facebook employee here.

      1. Captain Scarlet

        Re: Rank Amateurs

        Shows how much their staff can work cloud based.

    3. Mark192

      Re: Rank Amateurs

      "The report also notes that the worker was not authorized to have the drive in their car, and has been disciplined."

      Kinda surprised that the information was both on there and unencrypted. It's this normal?

    4. DiViDeD

      Re: Rank Amateurs

      f you allow an employee to copy that sort of information to an unencrypted hard drive ... leave it unattended

      You've never worked in government, have you?

      1. Anonymous Coward
        Anonymous Coward

        Re: Rank Amateurs

        [I]"If you allow an employee to copy that sort of information to an unencrypted hard drive ... leave it unattended"[/I]

        "You've never worked in government, have you?"

        I do. I'd be sacked.

        1. DiViDeD

          Re: Rank Amateurs

          I'm reminded of Old Harry's Game when he was schmoozing the Foreign Secretary.

          "Could I take a look at the National ID database?"

          "Of course you can ..."

          "Oh, great! I'll...."

          "Just as soon as somebody hands it in"

  3. elvisimprsntr

    Let's hope it was Zuck himself that was the victim of the reported smash-n-grab. I would not be surprised if the victim was targeted. Not that difficult when employees post all their personal details on social media. Wait! What?

  4. Aynon Yuser

    I'm sure the data will be sold on the dark web to China, North Korea and Russia. They'll make good use of it all and find a way to profit in the millions or billions.

    I agree with one commenter. They were probably targeted.

    1. Anonymous Coward
      Anonymous Coward

      "Profit in the billions".

      Downvote, but only because I doubt the staff who lost their data are being paid that much that even if the scams completely emptied their accounts they'd make off with that much.

      But that's just me expecting FB to underpay, not your comment specifically.

  5. Charlie van Becelaere
    Facepalm

    "This theft impacts current and former Facebook employees only and no Facebook user data was involved."

    It's good to know that no Facebook employees are Facebook users - makes one feel all the more secure knowing they eat their own dog food as it were.

    1. Anonymous Coward
      Anonymous Coward

      And as Dave Lister once said:

      "Now I know why dogs lick their testicles. Its to take away the taste of the dog food!".

      I'll leave the rest up to your imagination.

      1. David 132 Silver badge

        Well, the alternative for him was a Pot Noodle, as I recall. So he made the sane choice.

  6. A random security guy

    Serious compliance problem

    This all comes from the top; they play fast and loose with all personal data. Given their revenue and size, by now Payroll/Accounting and HR should have had multiple levels of security and audit, including alerts on data exports, inability to connect foreign drives, inability to even bulk download data to drives, etc.

    I have seen much smaller (and definitely less techie) organizations do a better job controlling access. They must have violated a few California laws. There are also SOX/GLBA issues since these breaches materially impact the company.

    Next year will be interesting as CCPA will kick in. FB is, obviously, wanting to gut the law. Happy that I turned down their job offer. Being a security professional is hard enough, being tainted by FB would have made my future bleak.

    1. John Brown (no body) Silver badge

      Re: Serious compliance problem

      "They must have violated a few California laws. There are also SOX/GLBA issues since these breaches materially impact the company."

      I wonder if it includes any EU based employee data? That could get interesting and maybe test the latest figleaf Privacy Shield implementation.

      1. Halfmad

        Re: Serious compliance problem

        If it included a single EU citizen then yes it did.

  7. JohnFen

    Stolen from a car??

    In literally every place I've worked over the last 20 years, taking any computer out of the building without having the hard drives encrypted is a strong no-exceptions firing offense. I'm really surprised that this isn't the case at Facebook. I know I shouldn't be, but I am.

    In most of those places, the hard drive encryption was installed by IT when the machines were prepared for employee use, so even the machines that don't leave the building are locked down.

    1. Goldmember

      Re: Stolen from a car??

      Yeah, I was thinking the same thing. Any laptops would surely have BitLocker set up at the very least. But then I re-read the article and is says they were hard drives (plural, not necessarily inside laptops) and that the employee didn't have permission to have them in their car.

      Sounds like somebody copied the payroll database to portable external drives. Although there is no excuse for these also not to have been encrypted. And not having enforced policies around copying data to external drives, whilst very stupid, would not surprise me with a company like Facebook.

      1. JohnFen

        Re: Stolen from a car??

        So it sounds like the data was stolen twice -- once by the employee, and once again by the person who broke into the car.

        Given that everyone knows (or should know) that the greatest security risk is the company's employees, not external hackers, I expect that all companies would have some sort of monitoring and access controls in place to reduce that risk. Such controls are not foolproof, of course, so maybe Facebook did have them. If not, then they'd better start.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stolen from a car??

          You'd think.

          I had a project manager insist I look at how to put an entire customer database on an external USB drive (he helpfully said he could get one from a local supplier) so he could get it mailed to a different country.

          Now I obviously refused point blank, stated why there was no way I was going to comply, and passed the whole thing over to the Security team to deal with - but there are those out there who will just do as they are told without question.

          1. Vometia Munro Silver badge

            Re: Stolen from a car??

            Not quite as bad, but I remember being ordered to drive a DAT (so yeah, it's was a few years ago) containing all sorts of interesting bank details across the country because apparently some hungover programmer was more trustworthy than an actual courier. Happily, I managed to not lose it (or myself) on the way.

            1. a_yank_lurker

              Re: Stolen from a car??

              Sometimes it is better to have a trusted employee carry very sensitive or important documents as they have some real skin in the game. I have been a 'courier' a few times for delivering bid documents to a customer for similar reasons.

              1. Anonymous Coward
                Facepalm

                Re: Stolen from a car??

                Yep. But I doubt you left the bid documents, with cheques etc, in the car unattended? ;)

              2. Anonymous Coward
                Anonymous Coward

                Re: Stolen from a car??

                First off I'm a PM who consults with local and central government.

                I've not worked anywhere in the past 5 years where I could have used an encrypted external device, all the laptops I have been issued with have been encrypted (I would insist they were if they were not)

                even if its being transported by a courier or a trusted member of staff it should still be strongly encrypted.

                lat time I will usually use a point to point VPN to transfer compacted & encrypted files but where this isn't available or the data volume is too high an encrypted drive can be used. the last time I had to do this I was sending financial information to a new outsourcing provider. I used a specialist security company who recruited ex special forces personnel and used unmarked random rental vans to transport the disk which was secured in a small safe chained to the inside of the vehicle. There were 2 couriers so the vehicle would never be left unattended. Even though this was strongly encrypted we had to be aware of the impact of the headline 'xxx County Council lose all 'financial records'. It was a costly exercise but the data got there on time.

    2. a_yank_lurker

      Re: Stolen from a car??

      Where I work we are issued company laptops with encrypted drives for company business. And, yes, we often work from home. Logging into the company network with unauthorized kit is a firing offense but there is no real reason to do so.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stolen from a car??

        Logging into the company network with unauthorized kit is a firing offense

        That fact that such would be possible would make me raise questions to start with..

  8. NuffSed?
    Joke

    Oh me, me.

    Not quite the perfect moment or scenario, but I have waited so long to sling it back.

    "Nothing to fear nothing to hide. Whats the problem?"

  9. Evil Auditor Silver badge
    WTF?

    What a pathetic bunch of bloody imbeciles! Storing that amount of data on a local hard drive does not happen by accident. And not encrypting a mobile storage device isn't an accident either. Nor is leaving such a device unattended in a car. Idiots. Utter idiots.

    1. Twanky
  10. FuzzyWuzzys
    Facepalm

    Just the one simple quesiton...

    Why is employee payroll data on a laptop, in a car?

    If you can answer that and come up with something that doesn't make me roll my eyes then I'll let you off.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just the one simple quesiton...

      Or even worse, on external disks? Is Facebook bandwidth so low people have to carry home copies of data?

      Or is this just a cover up, and Facebook systems have been hacked?

    2. Jellied Eel Silver badge

      Re: Just the one simple quesiton...

      If you can answer that and come up with something that doesn't make me roll my eyes then I'll let you off.

      So they could work from home?

      But I suspect that will cause eye strain because VPNs. Payroll could have been as simple as a spreadsheet, but that raises more questions.. Along with what else may have been on the drives given the 'need' to have more storage than just the laptop itself.

      1. werdsmith Silver badge

        Re: Just the one simple quesiton...

        Work from home is not a mitigation

        Provide a virtual desktop with no up or down load. Just input controls and display, over a VPN iwith 2FA and certificate if remote working is absolutely necessary. Even that is borderline, the most sensitive stuff should not be available outside business premises.

        1. DiViDeD

          Re: Just the one simple quesiton...

          There's work from home, and then there's work from home. When my woman worked for a biometric company here in Sydney, she could fire up her "secure" VPN ( using 'Multi Factor Authentication, dontcha know, because "multi" sounds so much more secure than "two") on her personal laptop, then merrily copy files from company servers to her local drive as though they were all part of the same device.

          Of course, there could have been sophisticated logging systems in place to record every instance of file transfer, but having met their system admin, I rather doubt it.

  11. Anonymous Coward
    Anonymous Coward

    spy on yourself

    My guess its an 'innocent' way to get more access into the employees financial records for some nefarious reason. Paranoia about employee loyalty or whistleblowing.

  12. Mephistro
    Devil

    Good for the goose...

    Nuff said.

  13. Anonymous South African Coward Bronze badge

    The report also notes that the worker was not authorized to have the drive in their car, and has been disciplined.

    Time after time I've seen that people just leave their preciouses in plain sight, thinking "they'll be gone just a few minutes" or "there's security folks at the entrance to the carp ark*", or "nothing will happen, too many people around".

    Then, when they get back, their preciouses' gone.

    Never happened to me, I lock my stuff in my car's trunk. And I do it whenever I set out from work or home, so there's nothing to tempt any ne'er-do-wells looking for a quick payday at somebody else's expense.

    It is not safe out there anymore.

    If somebody can make a laptop that'll produce thick, stinking smoke when switched on, I'll leave that in plain sight as bait.

    1. Jan 0 Silver badge

      How is the trunk of your car any more secure than the rest of your car?

      1. David 132 Silver badge

        And what do biblical ships for fish have to do with it? This "carp ark" of which you speak fascinates me.

        1. Anonymous Coward
          Anonymous Coward

          Carp ark

          This was situated in the basement level of the Ark.

          Noah left the windows open so the fish could get some fresh air.

      2. Anonymous Coward
        Facepalm

        It is not, but if you are not a targeted attack (known/followed) then the thief just has to take a gamble, and you are "lost" in the randomness of which car in the carpark gets done in that day.

        Besides, even empty bags, if out of sight, then reduce the chance break ins. An empty bag in the front seat might tempt someone, where is in the "unsecure" trunk, is not a temptation. Out of sight out of mind and all that.

      3. DiViDeD

        Re: How is the trunk of your car any more secure than the rest of your car?

        It's not about security, it's about visibility. Opportunist thieves are far more likely to look in the windows of all the cars to spot something worth a brick through the window than to crowbar open every car boot in the car park, n'est pas?

    2. Montreal Sean
      Flame

      "If somebody can make a laptop that'll produce thick, stinking smoke when switched on, I'll leave that in plain sight as bait."

      Didn't Toshiba make one of those?

      1. Steve K
        Coat

        Wasn't that the Samsung Galaxy Note?

        Wasn't that the Samsung Galaxy Note?

  14. quartzz

    "so far there is no indication of the purloined details being used for fraud", it's really weird, how when you tell an insurance company that or a bank, they immediately cancel whatever it is you had, and issue you with a new one. ie, "they have no idea". when do we get Libra? or when does Facebook go back to being number 3 ranked on alexa? like it hasn't been for a couple of months.

  15. Anonymous Coward
    Anonymous Coward

    On the face of things, throw the book at em

    This story doesn't add up at all.

  16. Anonymous Coward
    Anonymous Coward

    Are you sure it wasn't 'stolen'.

    New way to sell data.

  17. Mike 16

    Free Appraisal

    Vouched for by a Fortune 100 company.

    Should make it easier to sell the data. Although that assumes that it was either an inside job (like most large crimes) or that some random window-smasher reads ElReg or Financial/IT media.

  18. Jake Maverick

    disciplined? so not fired or prosecuted/ named and shamed or anything....most likely a promotion?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like