On the surface, it seems like another privacy hit for Facebook: a thief broke into an employee's car "recently," the company told CNBC Friday, taking company equipment including hard drives. The company said the hard drives contained unencrypted personal data of current and former Facebook employees, and alerted those employees to the theft "out of an abundance of caution."
But this is unlikely to be a data problem of any significance to Facebook for a simple reason: thefts of computer equipment remain almost entirely about re-selling that equipment as a commodity, not lifting the data and selling the information as well.
In fact, the announcement is possibly a testament to Facebook's improved transparency on data protection issues, and the heightened regulatory obligations for telling affected people when their data could possibly be viewed by an outside party. It also illustrates how slow change can be in the cybersecurity sphere, since this type of theft, and the outrage it provokes, are so similar to other incidents that are decades old.
Data theft by stolen or lost hard drive is probably one of the oldest types of computer security "breaches."
Banks were most likely to fall victim to incidents similar to the Facebook equipment theft. Take this case from 2005, in which data on 3.9 million Citigroup customers was lost in a UPS mix-up of back-up magnetic data tapes.
"Executives at Citigroup said the tapes were picked up by UPS early in May and had not been seen since," reads a New York Times piece on the incident from June 7, 2005. "The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches."
"It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information -- ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley," the 14-year-old article continues. "All these institutions have reported data breaches in the last five months, affecting millions of individuals and spurring Congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information."
As Matthew McConnaughey once said, channeling Friedrich Nietzsche: "Time is a flat circle."
There have been a handful of cases where physical data theft has led to a genuine electronic data breach, however, but these are usually done with specific intent. In one case that sparked a class action (and was later settled for $5,000 per affected individual, a significant number for a data breach), a hospital worker in Alabama stole medical records from an unlocked room, and shared them with criminal partners online who then filled out fraudulent tax returns in the victims' names.
It was a rare case where individuals could prove immediate, material harm from a data breach. This was almost certainly not the intent of the Facebook car thief.
Outside of spy novels, theft of personal information by burglary is extremely rare. Computer equipment, smart phones and tablets are far more valuable when they are quickly scrubbed of their contents and sold illegally, either over the web or to a pawn shop or other broker. It follows that the Facebook equipment will probably have had the same fate, its contents wiped, any identifying stickers removed and then propped up for sale on eBay.
They may have simply ended up in a massive Bay Area warehouse, like in this case from 2018, where hundreds of laptops and other equipment that had been stolen in cars were recovered, according to the San Jose Mercury News.
Facebook also has some major regulatory issues. The company has faced a record Federal Trade Commission fine in 2019, alongside a host of smaller fines in the U.S. and abroad. The European Union continues to look into a privacy issues at the company, and further fines are all but guaranteed. General Data Protection Regulation in that country calls for a 72-hour notification period, a provision that started earlier this year and represented an significantly expedited timeline for reporting breaches than ever before.
This has meant that Facebook in particular – under the microscope as it is – will probably continue to report every, single arcane and non-impactful security and privacy incident that it experiences as a company. Facebook, rightly, wants to stay on the right side of these regulations.
That may create the perception that the company keeps screwing up. On the contrary, we're just hearing about every, single thing that happens now, presumably. Expect more of these in 2020.