- London's Metropolitan Police are investigating a former Meta employee for the illegal downloading of some 30.000 private images from Facebook users.
- The suspect allegedly developed a script to circumvent the company's internal security controls while still working there.
- Meta fired the employee, notified affected users of the breach, and claims to have strengthened its systems to prevent further incidents.
- This case adds to previous leaks at Meta, keeping the regulatory and social focus on data protection on large platforms.
La London Metropolitan Police An investigation is underway into a former Meta employee suspected of accessing a vast number of private Facebook photos without permission. The case, involving some 30.000 images, has reignited the debate about the extent to which personal data is truly protected on major tech platforms, and how users can safeguard it. Protect the gallery with a PIN.
According to information reported by British media such as The Telegraph and the BBCThe former employee allegedly took advantage of his position within the company to circumvent internal controls and collect images that users shared in a restricted manner, something that can also happen when a Spyware that steals data and photosWhile the legal process continues, the suspect remains free on bail, awaiting clarification of the details and possible criminal liabilities.
What is known about the accusation against the former Meta employee
According to the documents filed in court, the police accuse the former employee of illegally accessing around 30.000 private photographs hosted on the social network Facebook. These images belong to user accounts that had never authorized the use or download of their content, and many users choose to create your own private cloud to have greater control over your backup.
The suspect was reportedly arrested in november last year He was charged with unauthorized access to computer equipment. Despite the initial arrest, authorities released him on bail, where he remains while agents specializing in cybercrime continue to gather evidence and analyze the scope of the incident.
The key to the case lies in a automated program, script typeThe software, which the employee himself allegedly designed, would have allowed him to operate from within the company and circumvent the detection and access control systems that Meta uses to monitor internal activity involving sensitive user information.
According to sources, the script was designed to collect images en masse that, under normal circumstances, are only visible to the account holder's contacts or even just their own contacts. The exploitation of this privileged access, linked to their position within the company, is one of the factors the police are evaluating to determine the seriousness of the incident.
British authorities have not released the suspect's identity or specific details about his role within Meta, which is common practice in these types of investigations. cybercrime and data protectionWhat they have confirmed is that they are investigating whether the images were stored, shared with third parties, or used for other purposes yet to be clarified.
How would the script have worked to bypass security controls?
Court documents indicate that the former employee devised a specific computer mechanism to circumvent the internal systems that regulate who can view and download content on Facebook's servers. Instead of a classic external attack, this would involve the abuse of credentials and insider knowledge of the company's infrastructure.
Since it was a script, the program likely automated tasks that would otherwise trigger security systems. Repeated requests, access to unlinked profiles The employee's usual work or massive file downloads are some of the behaviors that normally raise alarms, but in this case they would have been camouflaged or executed without being detected in time.
These types of incidents highlight that, in addition to the classic image of the external hacker, technology companies must also monitor the internal threat: people with legitimate access who, for various reasons, end up misusing the information they can access thanks to their position.
Cybersecurity experts consulted by the British press point out that controls should not only be based on initial passwords and permissions, but also on continuous monitoring of the activity carried out by each user within the corporate network. Anomalous patterns, such as the continuous downloading of private files, should generate early alerts to prevent irregular behavior from continuing over time.
In this case, the magnitude of the figures — with tens of thousands of potentially compromised private photos — suggests that the script was running long enough for the former employee to collect a significant amount of content before the system and the company itself detected what was happening.
Meta's reaction: dismissal, user notification, and increased security
Once the gap was identified, a company spokesperson explained that Meta He discovered the vulnerability more than a year agoAt that moment, the company made several decisions almost immediately: the dismissal of the employee involved, the notification of the case to the authorities, and the notification of potentially affected individuals.
Meta says that, after detecting the incident, it updated its internal prevention and control mechanisms To prevent employees from misusing their professional network access for purposes unrelated to their job duties, these adjustments would include additional layers of oversight of internal account activity and a review of the permissions associated with each role.
Regarding communication with users, the company states that it has sent notifications to those who may have been affected by the illegal downloading of their photos. This step, in addition to fulfilling a transparency obligation, is key to complying with data protection regulations, which are very stringent in both the United Kingdom and the European Union.
The company insists that it is collaborating with the British security forcesproviding the records and technical evidence necessary to reconstruct exactly what happened, how long the unauthorized access lasted, and what actual volume of information was exposed.
For Meta, the case represents a new public test of its security policies and its ability to detect irregular behavior within its own ranks in a timely manner, an aspect increasingly monitored by regulators and data protection authorities in Europe.
A history of breaches that increases scrutiny of Meta
The incident with the former employee adds to other previous situations that have damaged Meta's reputation in the area of privacy and personal data managementOne of the most memorable episodes took place in 2018, when a leak exposed the information of some 29 million Facebook accounts worldwide.
That case, which also had a major impact on the European Union and countries like Spain, ended with economic sanctions that amounted to around 251 millones de eurosThe fine was a clear sign of the regulators' willingness to firmly enforce the established rules of the game, especially after the entry into force of the General Data Protection Regulation (GDPR).
For European users, this history has created a sense of constant scrutiny regarding how Big Tech handles personal information. Data protection authorities, both in the UK and the EU27, are scrutinizing every detail. security breach which involves giants like Meta, Google or TikTok.
In this context, the new case of unauthorized access to private photos reinforces the arguments of those who call for stricter controls, regular audits, and exemplary sanctions when a company fails to guarantee adequate protection of the data it manages.
It's not just about preventing data leaks, but also about ensuring that the people working at these companies can't divert information for unauthorized uses. This dual challenge—external and internal threats—has become one of the biggest hurdles for any platform with hundreds of millions of users.
Implications for European users and data protection regulations
Although the case is being investigated in London, the impact transcends the borders of the United Kingdom and directly links to the concerns of users in Spain and the rest of EuropeMillions of European profiles use Facebook daily, share personal photos, and trust that their data will be protected under the GDPR.
European regulations require companies operating on the continent to notify relevant data breaches to the competent authorities and affected parties within relatively short timeframes. These types of incidents reinforce the public demand for... greater transparency about what happens when an incident originates from within the company itself.
In practice, Spanish and European users view any news related to massive leaks or unauthorized access with increasing distrust. The feeling that social networks can become an unwelcome showcase if internal security fails is gradually taking hold in public opinion.
Data protection authorities, for their part, use these cases as a reference to develop new guidelines and supervisory criteria. The message to tech companies is clear: Investing in security is not enoughIt is necessary to demonstrate that internal controls are effective and that gaps are managed quickly and rigorously.
In an environment where more and more photos, videos, and intimate content are being shared through social media platforms, the fact that a worker can download tens of thousands of private images once again highlights the need to strengthen safeguards for those who entrust their digital lives to these tools, especially those with ephemeral sharing features such as photos that you only see once.
The progress of the investigation and the possible legal scenarios
Meanwhile, the Metropolitan Police investigation continues, focused on determining the true extent of the incident. Officers are working to clarify the situation. how long was the script activewhat exact amount of content was downloaded and whether there was any attempt to distribute that material to third parties, either on or off the network.
Depending on the findings, the former employee could face additional charges related to computer crimes and privacy breaches. British law provides for severe penalties for unauthorized access to computer systems, and even more so when an internal position within a company is used to commit the offense.
The investigation will also determine whether people in other countries, including Europe, were affected, and if there was any coordination with other individuals. At this time, authorities have not mentioned the involvement of any other suspects, but no possibility has been ruled out until the analysis of the collected data is complete.
For Meta, beyond the employee's potential personal liability, the case has become a new test of the strength of its internal control mechanisms. The outcome of the investigation could influence how European regulators and legislators formulate future requirements. data governance for the big tech companies.
Pending the outcome of the legal proceedings, the events have already fueled a long-standing debate: what kind of additional oversight is needed for platforms that collect so much personal information, and what specific guarantees should they offer to citizens who use them daily?
This episode once again demonstrates the extent to which data protection on social networks depends not only on firewalls and automated systems, but also on human controls, clear internal policies, and constant monitoring about who has privileged access to information. What happens with this former Meta employee and the consequences of the case will most likely set new benchmarks for how privacy responsibilities are managed within the technology sector.
