District Court (Cal.) Says A Plaintiff Has Standing to Pursue ID Theft Claim Against Facebook

In Bass v. Facebook, Inc., No. C 18-05982 WHA (JSC), 2019 U.S. Dist. LEXIS 104488 (N.D. Cal. June 21, 2019), Judge Alsup allowed a plaintiff to pursue Facebook for an ID Theft claim.  The facts were as follows:

“Access tokens” star in the instant data breach. When a Facebook user logs into Facebook with a specific username and password, that user can conveniently access Facebook again without being forced to re-enter that information. This ease-of-access is facilitated by the “access token” generated by Facebook for that user upon his or her first log-in. The access token operates as an automatic super password — an electronic object embedded with all of a users’ security information — which allows a user to log in numerous times without typing out their username and password each time. Many companies, not just Facebook, use this tool to reduce barriers between [*7]  the user and the online platform thereby increasing ease-of-access and efficiency (id. ¶¶ 81-83). Facebook’s access tokens, however, carry specific value. As stated in the consolidated complaint: [o]nce a malicious actor is able to gain access to and compromise that user’s access token, Facebook’s lack of security and safeguards allowed that malicious actor to then use that access token to gain access to and compromise all tokens from that user’s shared or connected web applications (i.e., those applications that utilize the “Facebook Login” system, such as Microsoft Azure cloud platform, SalesForce, etc.). Worse, that malicious actor could then reset all user permissions, passwords, and other safeguards (such as two-factor authentication) not only in Facebook, but also any third-party accounts that utilize Facebook’s authentication login features and do so in such a manner that the user is not provided an alert or any other notification. From there, the malicious actor can syphon [sic] PII and other personal data from those accounts without hindrance. To prevent unauthorized users from eavesdropping, there is free software to validate the data transferred between the client browser [*8]  and the application servers. Most hackers also utilize the free software as a simple method to detect and identify easy areas of exploit. (Id. ¶ 110) (emphasis added). Put simply, once a Facebook user’s access token is compromised, all tokens from the user’s shared or connected web applications (like Skype and Uber) purportedly become accessible. In addition, anyone with access to the token can reset all other user data permissions and steal the tokens of all connected applications without alerting the original user. Facebook’s access tokens are allegedly the key to a breathtaking amount of online access (id. ¶¶ 99-101, 109). Importantly, standard industry practice is for companies to limit the lifespan of the tokens. By contrast, Facebook allegedly designed its access tokens to never expire (id. ¶¶ 83, 106-109). With this background in tow, this order now turns to the events at issue. 3. The Data Breach On September 14, 2018, Facebook discovered it had a coding vulnerability related to its “View As” feature. The vulnerability revealed users’ access tokens. Hackers accordingly stole the access tokens for 69,000 users. This led to the theft of a narrow set of information for 15 million worldwide [*9]  users (2.7 million United States users) and a more comprehensive set of information for 14 million worldwide users (1.2 million United States users) (id. ¶¶ 84, 95). The hacking began sometime after July 2017. The specific source of the vulnerability related to the internal coding of Facebook’s “View As” feature. This feature permitted users to see what their own “Timeline” looked like to other users (id. ¶¶ 3, 88, 91, 94). To illustrate, if a teenage user wanted to see his own account from the perspective of his parents’ account, the teenager would utilize this “View As” feature on his own account to “view” the account “as” his parents. This would enable the teenager to see firsthand what information his parents could and could not see on the teenager’s account. Momentarily stepping outside the consolidated complaint, Facebook has provided a declaration with step-by-step information of how the attack took place. Per the declaration, when a user’s “Timeline” would be accessed in the “View As” mode, an access token of the other user would generate in the Hypertext Markup Language (“HTML”) of the web page. The HTML is the part of the webpage that says “www.Facebook.com.” So, when the teenager  viewed his account through the eyes of his parents’ account, his parents’ access token generated in the part of the webpage that says “www.Facebook.com.” These attackers could then utilize the parents’ access token to access the parents’ account and repeat the identical process with the parents’ friends. Ultimately, per Facebook’s declaration, approximately 69,000 user accounts had their full accounts accessed through this vulnerability (Bream Decl. ¶¶ 12, 14). This vulnerability did not occur every time a user utilized the “View As” feature. Rather, the vulnerability only materialized if two additional (somewhat random) conditions were satisfied. First, the teenager’s birthday had to be visible on the “Timeline.” Second, at least three other users had to have posted birthday messages on that “Timeline” (id. ¶¶ 13, 14). Significantly, the vulnerability allowed for access tokens to be generated only if the “seed user” (the teenager) met the conditions described above. Accordingly, even if one user was vulnerable, not every account linked was also vulnerable (id. ¶ 16). To illustrate, if the teenager had his birthday visible on his “Timeline” and had three friends wish him happy birthday  on his “Timeline,” then his parents’ access token would be generated when the teenager viewed his account through the eyes of his parents’ account. With the parents’ access token in hand, the attackers could then turn to the parents’ account and treat that account as a new seed user account. If, however, the parents’ account did not have a birthday visible on their own “Timeline,” the access tokens to the parents’ friends’ accounts would not be revealed. This would end that branch of the access-token collection tree. The information taken in the attack did not end with these 69,000 users. Facebook connects users to each other. This means that once accounts have been connected to each other as “friends” on Facebook, one user can see another user’s information. Once the attackers compromised the access tokens to an account, account-information associated with connected accounts could be culled as well. This resulted in 29 million users (approximately 4 million users in the United States) having information taken in this data breach, according to Facebook (id. ¶ 9). These 29 million users can be divided into two groups. The first group comprises of approximately 15 million users (2.7 million users in the United States). For these users, the attackers obtained solely the user’s name and basic contact information (phone number and/or email addresses, depending on which users had chosen to provide to Facebook) (id. ¶ 11.c.). The second group comprises of approximately 14 million users (1.2 million users in the United States). For these users, in addition to the information listed for the first group, the hackers also obtained the username, gender, date of birth, and (if users had chosen to share it) workplace, education, relationship status, religious views, hometown, self-reported current city, website, the user’s locale/language, the types of devices used to access Facebook, the last ten places the user “checked into” or was “tagged” in on Facebook, the people or pages that the user “followed” on Facebook, and the user’s fifteen most recent searches using the Facebook search bar (id. ¶ 11.d.).

Judge Alsup found standing.

Facebook notified plaintiff Adkins that he had been subject to the data breach. A reasonable inference can therefore be drawn which traces the plausibly alleged harms to the purported mishandling of plaintiff Adkins’s personal information through the data breach. Accordingly, at this stage, plaintiff Adkins has established that he has standing. Plaintiff Adkins provided Facebook with his name, email address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs (Adkins Dep. 185:2-186:10, 314). Facebook informed plaintiff [*18]  Adkins through a notification that his information had been taken in this data breach. Plaintiff Adkins purported to have subsequently received extensive “phishing” emails and text messages. Plaintiff Adkins also spent as much as an hour managing the aftermath of the data breach (Dkt. No. 76 ¶¶ 163-170). This order now assesses the dual harms of risk of future identity theft and lost time. i. Risk of Future Identity Theft The information taken in this data breach gave hackers the means to commit further fraud or identity theft. Plaintiff Adkins personally alleges this information was taken. Specifically, his name, email address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs now reside with criminals (Adkins Dep. 185:2-186:10, 314). Extensive “phishing” emails and text messages have bombarded plaintiff Adkins since the attack. Between the hacking and the phishing, plaintiff Adkins has plausibly shown risk of further fraud and identity theft. Facebook argues that no sensitive information was taken. In Krottner v. Starbucks Corp., our court of appeals concluded that the combination of the sensitivity of personal information [*19]  with its theft can suffice to allege injury-in-fact. 628 F.3d 1139, 1140-43 (9th Cir. 2010). There, some of the data taken included social security numbers. Here, Facebook has gone to great lengths to show that all the information taken was otherwise publicly available information and not sensitive. The information taken, however, need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft. To this end, a more recent decision from our court of appeals held that the rightful injury-in-fact determination is not to look at the minutia of what information had been taken — such as credit card information or social security numbers — but to specifically determine whether the data taken “gave hackers the means to commit fraud or identity theft.” In re Zappos.com, Inc., 888 F.3d 1020, 1027-29 (9th Cir. 2018), cert. denied sub nom. Zappos.com v. Stevens, 139 S. Ct. 1373 (2019). This is not a departure from Krottner, which emphasized that the key inquiry was the “increased risk of identity theft.” Krottner, 628 F.3d at 1142. Imminent injury in fact can be established through information similar in function to social security numbers so long as the stolen data operated to be “sufficiently similar to that in Krottner to require the same conclusion . . . .” In re Zappos.com, Inc., 888 F.3d at 1027. The stolen data here is sufficiently similar. A [*20]  social security number derives its value in that it is immutable. So is someone’s date of birth, hometown, and high school, which had been taken here from plaintiff Adkins. As a result of this data breach, this information can now forever be wielded to identify plaintiff Adkins and target him in fraudulent schemes and identity theft attacks. The rest of the alterable information taken, such as plaintiff Adkins’s name, email address, telephone number, locations, work and education history, relationship status, and photographs, now in the hands of nefarious actors, will provide further ammo. Put simply, the amount of information taken “gave hackers the means to commit fraud or identity theft.” Ibid. This suffices under Krottner and Zappos. We must not forget that the hackers did not merely attack Facebook and loot it. These hackers went out of their way to run search queries on 69,000 hacked accounts for the sole purpose of culling personal information from an additional 30 million people. The attackers’ cards have been revealed: the goal was not merely to attack, the goal was to take personal information on a mass scale. It is not too great a leap to assume, therefore, that their goal [*21]  in targeting and taking this information was to commit further fraud and identity theft. That each strand of information can be painstakingly collected through a mishmash of other sources is irrelevant. Facebook is a centralized location which stores personal information for billions of users. Constructing this information from random sources bit by bit, would be hard. “Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388 (6th Cir. 2016). “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015). Between the obvious goal of taking personal information, the nature and amount of information taken, and the extended phishing emails which have subsequently followed the attack, plaintiff Adkins has plausibly shown he is at risk of further fraud and identity theft. ii. Loss of Time Our court of appeals has never considered whether loss of time rectifying the aftermath of a data breach suffices to establish harm [*22]  for standing. Recently, however, the United States Court of Appeals for the Seventh Circuit stated that in a data breach, “the value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective.” Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018). Here, plaintiff Adkins has stated that he received around 30 e-mails which he spent between a few minutes and an hour sorting through (Adkins Dep. 204:9-205:2). This order agrees with Dieffenbach that loss of time establishes injury in fact. This order also concludes that the amount of time alleged here establishes injury. True, sorting through a few dozen e-mails may or may not have taken an hour to rectify and perhaps the time spent later proves de minimis. This story, however, has yet to end. As consequences of this data breach continue to unfold, so too, will plaintiff’s invested time. More phishing emails will pile up. At this stage, the time loss alleged suffices. * * * Plaintiff Adkins has established standing through the dual harms of increased risk of future harm and loss of time. As to plaintiff Adkins, Facebook’s Rule 12(b)(1) motion is therefore Denied.