Facebook employees’ payroll data nabbed in car smash-and-grab

Facebook has again lost data on thousands of people, but this time, it’s the old-fashioned, smash-and-grab kind of data breach, done by a thief to an employee’s car.

Bloomberg Technology reported on Friday that a thief broke into an employee’s car and made off with payroll data for 29,000 current and former US Facebook workers.

The thief took unencrypted hard drives – drives that never should have been there – from a bag in the employee’s car.

Facebook said in an email to employees on Friday morning that the drives included payroll data, including employee names, bank account numbers and the last four digits of about 29,000 taxpayer IDs of employees who worked for Facebook in the US during 2018. The drives also contained other financial information, including salaries, bonus amounts, and some equity details.

A spokesperson told Bloomberg Technology that so far, the company hasn’t seen anybody try to exploit the employees’ data through identity theft.

The thief broke into the car on 17 November. Facebook supposedly realized the hard drives were missing three days later. On 29 November, a “forensic investigation” confirmed what type of information was on the drives. Facebook gave employees a heads-up about the theft on 13 December.

The Facebook spokeswoman said the police were duly notified:

We worked with law enforcement as they investigated a recent car break-in and theft of an employee’s bag containing company equipment with employee payroll information stored on it. We have seen no evidence of abuse and believe this was a smash and grab crime rather than an attempt to steal employee information.

And as far as the payroll employee responsible for leaving unencrypted drives in their car goes, they were duly disciplined, the spokeswoman said. As it is, the payroll employee hadn’t been authorized to take the drives out of their office. The Facebook spokeswoman didn’t give details of how the employee was disciplined:

We have taken appropriate disciplinary action. We won’t be discussing individual personnel details.

Readers, how would you discipline an employee who tosses unencrypted drives into a bag and leaves it in their car?

I think I’d sit them down in front of Mark Stockley’s 2014 article about security mistakes that small companies make and how to avoid them, point out that not encrypting drives is goof numero uno, underline the word “small,” remind them that Facebook is no pipsqueak and that all of its employees hence should, theoretically, know a whole lot better than small companies.

And then, finally, wag my finger at Facebook IT, which might try harder when it comes to training employees to encrypt drives and to abstain from removing them from the office.

All of which is, of course, hypothetical. We don’t know what kind of drives the thief got away with. Nor have the drives been retrieved yet.

In its email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service, Bloomberg said.