A group of Facebook users allegedly harmed by a 2018 data breach has reached a deal with the social media giant requiring it to pay $16 million in fees and improve its security protocols.
Facebook users affected by the data breach asked U.S. District Judge William Alsup to approve the settlement agreement, which commits Facebook to reforming its security measures.
Facebook has come under attack in recent years for lax security measures that opened the door to hackers and other data thieves. The 2018 hack at the center of this case exposed the personal data of about 29 million users.
The security improvements Facebook committed to weren’t disclosed, but the bid for initial approval of the deal submitted by the class members said the company agreed to “a broad range of sophisticated and detailed measures designed to prevent and detect security issues relating to access tokens” according to Law 360.
Access tokens are the security credentials used to log into a website. They act as digital keys that allow Facebook users to remain logged into the website without having to re-enter their password each time.
Facebook also agreed to consent to “regular assessments of compliance by an independent third party for 5 years” under the agreement.
The judge, who must approve the deal, has said previously that “Facebook’s repetitive losses of users’ privacy supplies a long-term need for supervision.”
Hackers were able to gain access to Facebook usernames and contact information through a vulnerability in the code of the social media platform’s “View As” feature, which allows users to see how their profiles appear to others. Using access tokens that they stole, hackers were able to access tens of millions of accounts.
Facebook said that the hackers did not gain access to passwords, bank account info, and credit cards.
Counsel for the class members told the court that it accrued costs of about $7.3 million and that the figure is expected to grow with continuing litigation costs and monitoring Facebook’s compliance over the next five years. The lawyers said that they would request a fee of “no more than $16 million” and a maximum of $1.7 million in expenses.
According to Law 360, Facebook is aware of the monetary requests but has not agreed with them.
Lead plaintiff Stephen Adkins originally sought certification for three separate classes. One of the classes sought an injunction that would make Facebook reform its security practices. Another sought expenses for future credit monitoring, and a third sought cash damages for time spent addressing the data breach.
Judge Alsup found that only the class that sought changes to Facebook’s security protocols was suitable for certification because the lead plaintiff didn’t show that he had incurred out-of-pocket expenses because of the data breach.