A former Meta engineer is facing criminal investigation after allegedly using a custom-built programme to download around 30,000 private images from Facebook, bypassing the platform’s internal security systems.
The Alleged Breach and Method
According to court papers cited by police, the London-based engineer is alleged to have accessed and downloaded the trove of private user images while employed by Meta. The core of the allegation centres on how he allegedly evaded detection. It is claimed he created a specific script designed to circumvent Meta’s internal security and detection systems, which allowed the mass download to go unnoticed for a period.
Data protection experts note that an employee accessing personal data without authorisation could commit offences under both data protection and computer misuse laws. Jon Baines, a senior data protection specialist, added that an employer would generally not be held liable for such an employee’s actions if it had appropriate measures in place to prevent or detect unauthorised access.
Meta’s Response and Police Action
Meta confirmed the company itself discovered the “improper access” over a year ago. A company spokesperson stated that protecting user data was its top priority and that, upon discovery, it “immediately terminated the individual’s employment, notified users, referred the matter to law enforcement and enhanced our security measures.” The company says it is cooperating with the ongoing investigation.
The matter was referred to the UK’s Metropolitan Police cybercrime unit. The engineer was arrested in November 2025 and remains on police bail as the investigation continues. Magistrates recently varied his bail conditions, requiring him to report to officers in May and to inform the force of any plans for foreign travel. Some reports indicate the FBI is also involved in the investigation.
A Pattern of Data Security Issues
This incident is the latest in a series of data protection controversies for the tech giant. In December 2024, the Irish Data Protection Commission (DPC) fined Meta €251 million following an inquiry into a major personal data breach reported in September 2018, which impacted approximately 29 million Facebook accounts globally. A portion of that fine was for failing to ensure “data protection by design”.
That 2018 breach was separate from a bug disclosed that same year, where a flaw in Facebook’s photo API potentially gave third-party apps wider access to the private photos of up to 6.8 million users for 12 days.
More recently, in September 2024, the Irish DPC fined Meta Platforms Ireland Limited €91 million for failing to protect user passwords, which had been stored in plaintext—without encryption—on its internal systems, a vulnerability discovered in 2019. This followed a record-breaking €1.2 billion fine in May 2023 from the European Data Protection Board for illegally transferring European users’ personal data to the United States.
In the UK, the Information Commissioner’s Office (ICO) has previously taken action against the company, fining Facebook £500,000 in October 2018 for failing to protect UK users’ data in the Cambridge Analytica scandal. The company now operates under stricter UK data protection law, primarily the UK GDPR and the Data Protection Act 2018, and the broader Online Safety Act 2023.
This security breach allegation also follows a significant US court defeat for Meta in March 2026, where a Los Angeles jury found the company (alongside Google) liable for designing addictive platforms that harmed a young user. The jury attributed 70% of the responsibility to Meta.
