A federal judge has granted preliminary approval to Facebook's settlement of a class-action lawsuit over a security lapse that enabled hackers to steal 30 million users' information.
The proposed settlement requires Facebook to implement new security tools, undergo assessments and increase the frequency of “integrity checks” aimed at detecting breaches, among other measures.
“This proposal provides the primary injunctive goal of this suit: elimination of the vulnerability and Facebook’s commitment to security measures to protect not just class members but all Facebook users’ personal information,” U.S. District Court Judge William Alsup in the Northern District of California wrote Sunday in an order allowing the settlement to move forward.
If granted final approval, the settlement will resolve a class-action complaint over a security glitch uncovered in September of 2018, when Facebook reported that hackers had obtained personal data for millions of users worldwide by exploiting a coding vulnerability.
The hackers obtained wide-ranging information -- including names, phone numbers, email addresses, birthdates, relationship status, religious views and hometowns -- for around 14 million users, including 1.2 million in the United States.
Hackers also obtained a narrower set of data -- including names, phone numbers and email addresses -- for around 15 million users, including 2.7 million in the U.S.
Michigan resident Stephen Adkins brought a class-action complaint over the incident, alleging that Facebook acted negligently because it failed to use adequate security to protect users' data, among other claims.
Facebook agreed to resolve the matter after unsuccessfully asking Alsup to dismiss the case on the grounds that the data breach didn't result in a concrete injury to users.
“While the complaint speculates (baselessly) about various potential harms that might arise from the attack, ranging from identity theft to lost value of information, plaintiffs do not allege that they actually suffered any of those injuries,” Facebook wrote in court papers filed in 2019.
Alsup rejected that argument last year. "Facebook has gone to great lengths to show that all the information taken was otherwise publicly available information and not sensitive,” the judge wrote last June. “The information taken, however, need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft.”