Former Meta Employee Investigated for Downloading 30,000 Private Facebook Photos

A former Meta engineer is under criminal investigation for allegedly downloading approximately 30,000 private Facebook photos — and the case raises hard questions about whether the company's internal safeguards are built to catch insiders at all.

What Happened

The unnamed engineer, based in London, allegedly wrote a custom script while employed at Meta that circumvented the company's internal detection systems, enabling bulk access to private user images [1]. According to court documents reviewed by the Press Association, the engineer "is alleged to have accessed and downloaded approximately 30,000 private images belonging to Facebook users whilst working for Meta" [2].

The Metropolitan Police's Cybercrime Unit is leading the investigation, with the FBI collaborating on the case [3]. The engineer was arrested in November 2025 and released on police bail, with conditions requiring him to report to Met officers in May 2026 and disclose any foreign travel plans [2]. The UK's Information Commissioner's Office (ICO) has been notified and is working with Meta [3].

Meta says it discovered the breach more than a year ago, fired the employee, notified affected users, and referred the matter to UK law enforcement. A company spokesperson stated: "Protecting user data is our top priority. After discovering improper access by an employee over a year ago, we immediately terminated the individual, notified users, referred the matter to law enforcement and enhanced our security measures" [1].

No formal criminal charges have been publicly filed as of April 2026.

The Legal Landscape

Because the investigation is centered in the UK, the primary criminal statute in play is the Computer Misuse Act 1990. Section 1 of the Act — unauthorized access to computer material — carries a maximum sentence of two years' imprisonment on indictment [4]. If prosecutors can establish that the access was intended to facilitate further offenses (such as distributing the images), Section 2 raises the maximum penalty to five years [4].

The involvement of the FBI suggests a potential cross-border dimension. If any of the 30,000 photos belonged to US-based users, American prosecutors could invoke the Computer Fraud and Abuse Act (CFAA), which carries penalties of up to five years for a first offense of unauthorized access to obtain information, and up to ten years for repeat offenders [5]. However, the Supreme Court's 2021 ruling in Van Buren v. United States narrowed the CFAA's scope significantly: the Court held that the statute does not cover someone who has authorized access but uses it for an improper purpose — only someone who accesses areas of a computer system they were never permitted to reach [6]. This distinction matters. If the engineer had legitimate credentials that technically granted access to user photo data — even if company policy forbade bulk downloading — Van Buren could complicate a US federal prosecution.

For the estimated three billion Facebook users worldwide, the data protection angle matters too. Under the EU's General Data Protection Regulation, Meta is required to notify supervisory authorities of a personal data breach "without undue delay" — typically within 72 hours — and to inform affected individuals when the breach poses a "high risk" to their rights [7]. Meta's lead EU regulator, the Irish Data Protection Commission (DPC), has already imposed cumulative fines exceeding €1.5 billion on the company across multiple enforcement actions [8][9][10].

Who Had Access — and Who Was Watching

The most uncomfortable question for Meta is not whether one engineer went rogue, but how many employees can do the same thing.

In 2021, the book An Ugly Truth: Inside Facebook's Battle for Domination by Sheera Frenkel and Cecilia Kang revealed that Facebook fired 52 employees between January 2014 and August 2015 alone for improperly accessing private user data [11]. The book reported that over 16,000 employees had direct access to private user information, and that then-Chief Security Officer Alex Stamos warned internally that "hundreds more may have slipped under the radar" [12].

The abuses documented were severe. One engineer used Facebook's internal tools to track the physical location of a woman who had left their shared hotel room after a fight [11]. Another accessed "years of private conversations with friends over Facebook Messenger, events attended, photographs uploaded (including those she had deleted), and posts she had commented or clicked on" after a woman stopped responding to his messages [12]. Frenkel and Kang wrote that "there was nothing but the goodwill of the employees themselves to stop them from abusing their access to users' private information" [11].

Source: Public reporting, An Ugly Truth

Data as of Apr 7, 2026CSV

Facebook's approach at the time was described as relying on "audit after the fact" rather than preventive access restrictions — a design that one source attributed to Mark Zuckerberg's preference for minimizing friction in engineering workflows [12]. Since 2015, Meta says it has "continued to strengthen employee training, abuse detection, and prevention protocols" and has worked to "reduce the need for engineers to access some types of data" [11]. The company has also described an Internal Audit function, a Privacy Red Team that tests controls, and automated systems designed to detect incidents in real time [13].

Yet the current case — in which an engineer allegedly wrote a script specifically designed to evade those detection systems — suggests that whatever improvements Meta has made, they remain circumventable.

How Meta Compares to Peers

Insider threats are not unique to Meta, but the scale and frequency of documented incidents at the company is unusual among major technology firms.

Google faced a high-profile insider case in 2024 when software engineer Linwei Ding was charged with stealing over 500 confidential files containing proprietary AI chip designs and data center architecture, uploading them to a personal cloud account over the course of a year [14]. The case was prosecuted as economic espionage rather than a privacy violation, but it illustrated that even Google's access controls could be defeated by a determined insider.

Twitter (now X) saw two employees charged in 2019 with spying on behalf of Saudi Arabia, using their access to internal systems to identify and locate dissidents [15]. Unlike Meta's pattern of individual data voyeurism, the Twitter case involved state-sponsored espionage.

Uber paid a $148 million settlement in 2018 after it emerged that employees had used an internal tool called "God View" to track riders' real-time locations, including journalists and celebrities [16].

Coinbase confirmed in 2025 that an insider threat led to data exposure affecting 69,461 users — far more than the company's initial characterization of "less than one percent" [17].

The common thread: every major platform grants some employees access to user data for operational purposes, and every platform has seen that access abused. The difference at Meta is the volume — 52 terminations in 18 months is an order of magnitude beyond what has been publicly reported at any peer company.

The Privacy Settings Question

Public reporting has not specified how many of the 30,000 downloaded photos were set to "Friends Only," "Only Me," or other restricted privacy levels [1][2][3]. This gap matters for both the legal case and the harm assessment.

Photos set to "Only Me" represent the highest expectation of privacy — content a user explicitly chose to hide from everyone. If those images were among those downloaded, the severity of the violation increases substantially. For users in sensitive situations — domestic abuse survivors who kept evidence private, minors whose parents restricted photo visibility, or public figures who maintained separate private collections — unauthorized access creates risks that extend beyond abstract privacy violations into physical safety.

Meta has said it notified affected users [1], which implies the company can identify whose photos were taken. But it has not disclosed how it identified them, whether it can confirm the photos were not further distributed, or whether its logging infrastructure captured the full scope of the engineer's access. The absence of this information is itself significant: if Meta cannot answer these questions, its access-logging systems may be less comprehensive than its public descriptions suggest.

A Pattern of Regulatory Enforcement

This incident arrives against a backdrop of sustained regulatory action against Meta over data protection failures.

Source: Irish DPC, FTC

Data as of Apr 7, 2026CSV

The FTC's 2019 settlement — a record $5 billion fine — stemmed from Facebook's violations of a 2012 consent order that had required the company to obtain express user consent before sharing information beyond their privacy settings [18]. The FTC alleged that Facebook violated that order within months of it being finalized, in conduct that contributed to the Cambridge Analytica scandal [18].

The Irish DPC, Meta's lead regulator in the EU, has imposed a series of escalating fines: €17 million in 2022 for data breach failures [8], €1.2 billion in 2023 related to Instagram data transfers [9], €91 million in September 2024 after discovering that Meta had stored user passwords in plaintext [10], and €251 million in December 2024 over a 2018 breach that affected 29 million accounts globally [9].

Under the 2020 FTC consent order, Meta is required to maintain a comprehensive privacy program, conduct employee training on data access policies, and submit to biennial independent privacy audits [18]. Whether this incident represents a violation of those requirements depends on facts not yet public — specifically, whether Meta's internal controls met the standard the order requires, or whether the engineer's script exposed a gap the company should have closed.

The Employee's Potential Defense

No public statement has been attributed to the engineer or a legal representative. But the contours of a possible defense are visible in the record.

If Meta's internal tooling gave engineers broad access to user photo data — as An Ugly Truth documented was the case historically — the employee could argue that the access itself was authorized, and that the script merely automated actions an engineer could perform manually. This is, in essence, the argument that succeeded in Van Buren: that misusing access you legitimately hold is a policy violation, not a criminal act [6].

Such a defense would shift scrutiny from the individual to the institution. If 16,000 employees had access to private user data as recently as 2015 [12], and if the engineer's role in 2024-2025 included any legitimate reason to view user content — content moderation tooling, debugging image rendering, or similar functions — the line between "authorized" and "unauthorized" may be genuinely ambiguous.

This does not excuse the alleged conduct. But it does raise the question of whether Meta's access-control model is designed primarily to prevent abuse, or primarily to enable engineering velocity — with enforcement applied retroactively, after the damage is done.

Disclosure Obligations and What Comes Next

Meta says it notified affected users and referred the matter to law enforcement more than a year ago [1]. Under the UK Data Protection Act 2018, which implements the GDPR domestically, Meta was required to report the breach to the ICO within 72 hours of becoming aware of it [7]. The ICO has confirmed it is aware of the case [3], though it has not publicly stated whether Meta met that deadline.

In the US, the 2020 FTC consent order requires Meta to report privacy incidents to the Commission and to its independent assessor [18]. If any affected users were in the EU, the Irish DPC's notification requirements also apply [8].

The investigation remains active. The engineer's bail conditions require a May 2026 check-in with the Metropolitan Police [2]. Whether formal charges follow will depend on whether prosecutors can establish that the access was unauthorized in a technical sense — not merely prohibited by policy — and whether the scope of harm justifies criminal prosecution rather than civil enforcement.

For Meta's nearly three billion users, the case is a reminder that privacy settings control who sees your data among other users. They do not, and never have, controlled what the company's own employees can access. The distance between those two promises — the one Facebook makes to its users, and the one it enforces on its staff — is where the real story lies.

What Remains Unknown

Several key questions remain unanswered as of this writing:

• The engineer's identity and role: No name has been released, and it is unclear what team or function the engineer served, which would clarify whether photo access was part of their legitimate duties.
• Distribution of the photos: There is no public evidence that the 30,000 images were shared, sold, or posted elsewhere — but neither Meta nor law enforcement has confirmed they were not.
• Privacy settings of affected photos: Whether the images included "Only Me" content, or were limited to "Friends Only" or less restricted settings, has not been disclosed.
• Scope of access logging: It is unclear whether Meta's systems recorded exactly which users' photos were accessed, or only detected the anomalous volume of downloads.
• Regulatory response timeline: Whether Meta met its 72-hour notification obligations under GDPR and the UK Data Protection Act has not been publicly confirmed by the ICO or the Irish DPC.

These gaps are not unusual at this stage of an active criminal investigation. But they are the gaps that will determine how serious this incident ultimately proves to be — both for the individual involved and for the company that employed him.