**Summary:** A former Meta engineer in London is under criminal investigation for allegedly creating a program to extract about 30,000 private Facebook photos, bypassing security measures. This incident is one of several privacy and security failures for Meta in recent years. Despite its internal systems designed to prevent unauthorized access, the engineer allegedly accessed user data, leading to his arrest in November 2025. Meta discovered the breach over a year prior, dismissed the employee, and referred the matter to law enforcement. The Metropolitan Police’s Cybercrime Unit is handling the case following an FBI referral.
**Breach Details:** The engineer reportedly wrote a program to obtain private images without detection, resulting in the extraction of images from users’ accounts. Meta identified the breach before April 2025, leading to ongoing investigations. Meta has updated its security systems and notified affected users.
**Meta’s Security Record:** The investigation adds to Meta’s numerous privacy and security issues, resulting in significant financial penalties. In November 2022, the Irish Data Protection Commission fined Meta €265m for a data-scraping incident. In September 2024, a €91m fine followed due to the unencrypted storage of Facebook and Instagram users’ passwords. In March 2026, Meta was found negligent in a social media safety case, facing a jury verdict and $6m in damages.
**Insider Threats:** The London case highlights technology platforms’ challenges in managing trusted insiders. Insider threats can circumvent systems using legitimate access, posing unique risks. Although Meta responded by firing the employee and making a law enforcement referral, questions remain about the breach’s duration and the effectiveness of its detection systems. The Metropolitan Police’s investigation will address these issues and potential criminal charges.
**Impact on Facebook Users:** Users whose private photos were taken face discomfort knowing their images are now outside the platform, especially those who chose to keep them private. The responsible engineer was employed by the very company entrusted to safeguard their data.