Facebook Inc. says a lawsuit over a data breach that affected almost 30 million users should be tossed because the lawyers who filed it have provided no evidence that anyone was injured by the attack.
The suit was filed last year on behalf of 18 Facebook users seeking to represent a class of 29 million. But 16 of the users dropped out of the case; one was dismissed by the judge; and the last remaining plaintiff has been unable to back up his claim that he was hit by phishing attacks after the breach, Facebook said in a filing Thursday in San Francisco federal court.
A federal judge issued a strongly worded ruling in June rejecting Facebook’s request to dismiss the case. The world’s largest social network portrayed itself as the victim of a sophisticated cyber-attack and argued that it isn’t liable for thieves gaining access to user names and contact information.
“From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks,’” U.S. District Judge William Alsup wrote, citing a decision in another case.
The lawsuit stems from a data breach that Facebook revealed a year ago in which hackers exploited software bugs to obtain access to millions of user accounts. The company contends it acted quickly to contain the damage and that attackers failed to get more sensitive information, including credit card numbers and passwords, saving users from any real harm.
Lawyers filed their class-action complaint on the same day Facebook disclosed the breach.
Alsup tossed a couple of the claims in the case in his June ruling but concluded the lawyers sufficiently backed up their allegation that Facebook was negligent in its handling of user data. The judge said the case should move forward with discovery and toward trial “with alacrity.”
Facebook fought back in Thursday’s filing, urging the judge not to grant the case class-action status and to dismiss it entirely for lack of evidence that anyone was harmed by the data breach.
The one remaining plaintiff, Stephen Adkins, a Michigan man who joined Facebook in 2009, claimed he was “bombarded” by phishing emails following the attack and lost time “sorting through” them. But Facebook’s lawyers say he couldn’t back that up when he was questioned in a deposition.
“He has pointed only to three spam emails received six months after the attack, which do not contain any of the information compromised in the attack, and which he was not even aware he received until his lawyers dug them out of his junk mail folder,” the company’s lawyers said in the filing. “A few random spam emails cannot be the keys to federal court.”
Attorneys for the plaintiffs didn’t immediately respond to requests for comment.
The case is Echavarria v. Facebook Inc., 3:18-cv-05982 , U.S. District Court, Northern District of California (San Francisco).