Facebook security analyst is fired for using private data to stalk women

Already under intense scrutiny for leaking sensitive data belonging to more than 87 million users, Facebook said it fired a security engineer accused of using his company position to stalk women.

The allegations surfaced Sunday in a series of tweets from Jackie Stokes, founder of a firm called Spyglass Security.

I’ve been made aware that a security engineer currently employed at Facebook is likely using privileged access to stalk women online.

I have Tinder logs. What should I do with this information?

— Jackie Stokes ?? (@find_evil) April 30, 2018

Stokes included portions of a purported discussion between the unnamed Facebook employee and someone else over the Tinder dating app. In it, the employee said he was a “security analyst” whose role in trying to identify who hackers were in real life made him a “professional stalker.” He then told the person, “so out of habit I have to say you are hard to find lol.” Stokes later tweeted that the exchange was only a limited snippet of the overall conversation.

Referring to the person the Facebook analyst was chatting with, Stokes also wrote, “I have a suspicion that her Instagram account which was connected to Tinder was used to identify her. The question is whether he was able to find the information he gave her in chat (which caused her, a software engineer herself, to be terrified) by identifying her on Facebook.”

The tweets, which were first reporter by Motherboard, quickly found their way to members of the Facebook security team, who initially said they were investigating the allegations. By Tuesday, Facebook publicly confirmed that it fired the employee. In a statement issued Thursday, company Chief Security Officer Alex Stamos wrote:

We quickly investigated this situation and immediately fired the person. It’s important that people’s information is kept secure and private when they use Facebook. It’s why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs—for example to fix bugs, manage customer support issues or respond to valid legal requests. We don’t just rely on policies; we also verify. Access to sensitive data is logged, and we have automated systems designed to detect and prevent abuse. Employees who abuse these controls will be fired—period.

Like many companies that handle large amounts of sensitive personal data, Facebook permits employees to access user records only when there is a legitimate business reason, such as investigating reports of abuse or troubleshooting performance problems. Only employees in certain roles have the ability to access those records, and even then, before authorized employees can open a record, they receive an on-screen reminder that the access isn’t permitted for personal reasons. All record access is logged, too, to make it easy for abuse to be detected.

The incident underscores the recurring threat Facebook and other companies face from rogue insiders who fail to follow company policies. According to Motherboard, Facebook has fired multiple employees for similar abuse. And of course, the firing comes weeks after the world learned Facebook exposed data from 87 million users to an analytics firm that did work for the Donald Trump presidential campaign. The lesson: if you want to keep a picture, identity or other data secret, don’t post it online, no matter how strict the service claims its policies are.