A former Meta engineer based in London is the subject of a criminal investigation by the Metropolitan Police's cybercrime unit over allegations they downloaded approximately 30,000 private images from Facebook users' accounts. The engineer, who was employed by Meta at the time, is accused of creating a specialised script designed to circumvent the company's internal security detection systems, enabling unauthorised access to personal photographs.
Police Investigation and Company Response
Meta confirmed that the suspected data breach was discovered more than a year ago. The company itself referred the matter to law enforcement authorities in the United Kingdom. A Meta spokesperson stated: 'Protecting user data is our top priority. After discovering improper access by an employee over a year ago, we immediately terminated the individual, notified users, referred the matter to law enforcement and enhanced our security measures. We are co-operating with the ongoing investigation.'
Legal Proceedings and Bail Conditions
The engineer, who resides in London, is currently on police bail while the criminal investigation continues. According to court documents, police allege the individual 'accessed and downloaded approximately 30,000 private images belonging to Facebook users whilst working for Meta' and 'created a script designed to circumvent Meta's internal detection systems, allowing him to do so.' Two weeks ago, magistrates agreed to vary the bail conditions, requiring the individual to report to Metropolitan Police officers in May and inform the force of any plans for foreign travel.
Historical Context of Meta's Privacy Issues
This latest security concern follows a series of privacy challenges for Meta. In 2018, Facebook suffered a bug believed to have affected up to 6.8 million people, granting third-party applications wider access to user photographs than intended. More recently, in 2024, Meta was fined 91 million euros by Ireland's Data Protection Commission for inadvertently storing millions of Facebook and Instagram user passwords in plaintext on internal systems, leaving them unprotected by encryption.
Broader Legal and Regulatory Implications
The investigation emerges shortly after Meta, alongside Google, suffered a landmark court defeat in Los Angeles last month. The companies were found liable for a woman's childhood social media addiction in a ruling that could have significant ramifications for how social media platforms operate in the future. This case highlights growing legal scrutiny over tech companies' responsibilities to protect users from harm.
Meta, which also owns WhatsApp and Instagram, has emphasised its commitment to user data protection through enhanced security measures following this incident. The company's proactive steps include notifying affected Facebook users about the breach, though specific details about the nature of the images or the number of users impacted remain undisclosed. The Metropolitan Police's cybercrime unit continues its investigation, with the engineer's next reporting date scheduled for May as the legal process unfolds.
