Facebook has fired an employee who had allegedly used sensitive user data to stalk women online. Multiple former Facebook employees and people familiar with the matter told Motherboard of the flagship social media company’s data access policies. This also includes how those who work in the security team, have less oversight on their access than others.

According to one former Facebook worker, multiple people had been terminated in the past for abusing access to user data. This also includes employees who stalked their exes.

Another former Facebook employee told Motherboard that they know of three cases where employees were fired because they mishandled data, one of which included stalking Facebook users. Surprisingly, none of these incidents were reported publicly.

Different teams at Facebook have varying levels of access, and they can request additional access if required. Facebook sources did not specify the sort of data that different types of employees could access.

Several Reports of Abuse of High-Level Permissions

In 2015, a Finnish music producer and DJ record label owner Paavo Siljamäki visited Facebook’s L.A. campus and watched as an engineer accessed his Facebook account without a password. “Just made me wonder how many of Facebook’s staff have this kind of ‘master’ access to anyone’s account?” Siljamäki wrote in a Facebook post afterward. “What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).”

Facebook employees london office

Image: Facebook London office

Incidents like these are quite common in the Silicon Valley. Not so long ago, a rogue Twitter customer service employee had momentarily deactivated President Trump’s account. Micheal Sierchio, a former Uber security engineer, told the Center for Investigating Report (CIR) how anyone at Uber could abuse its “God View” mode to stalk an ex or look up anyone’s ride using the flimsiest of justification.

Facebook has 25,105 employees and 2.2 billion monthly active users (1:87631). A single employee at Facebook may have more power over users. After all, building systems to quickly access granular level data is one of the core competencies of companies in Silicon Valley. In January 2010, a Facebook employee told The Rumpus how the company at one time had a master password that would work for any account. I’m not going to give you the exact password, but with upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,’ more or less,” the employee said.

All of these are just the incidents we know about. There have been more unreported cases of employees abusing high-level access to spy on or meddle with user accounts. These employees may have been given the pink slip, or they may have been allowed to return to their cubicles with a warning. None of these employees got in legal trouble, with the exception of Trump’s deactivation case. The employee who committed the prank on their last day by deactivating Trump’s account may have violated the Computer Fraud and Abuse Act, and many other laws that prohibit unauthorized access in various scenarios.