Every tech company tells you your data is safe. They’ve (hopefully) got encryption, access controls, and zero-trust architectures—the whole glossy security brochure. And then someone on the inside writes a script to steal your private photos anyway.

That’s what a former Meta employee based in London is under criminal investigation for. He allegedly downloaded around 30,000 private images belonging to Facebook users. The Metropolitan Police’s cybercrime unit is handling the case.

According to court papers, the accused didn’t just browse around; he built a custom script designed to circumvent Meta’s internal detection systems.

Meta says it discovered the breach over a year ago, fired the individual, notified affected users, and referred the matter to UK law enforcement. The suspect is currently on police bail and must report to officers in May.

Meta’s track record on data protection is far from spotless. It agreed to pay $725 million in 2022 to settle a class-action lawsuit over the Cambridge Analytica scandal, where third-party developers harvested data from millions of Facebook users. Stories keep surfacing about Meta that give us pause when considering privacy and user safety. For example, Facebook engineers have admitted that they didn’t even know where user data was kept.

Rogue insiders

This kind of thing keeps happening. FinWise Bank disclosed last year that a former employee had potentially accessed records belonging to 689,000 customers. That breach went undetected for over a year. Coinbase also revealed that support staff working overseas had been bribed to steal data on nearly 70,000 customers. Even employees at electronics repair firms like to snoop around customers’ data in ways they shouldn’t.

What drives insiders to cross the line? Research into insider threat psychology has found that many documented incidents involve employees in technical professions like system administrators, database operators, and programmers. This makes sense, as they will likely have both the access and the skills to evade detection.

Motives range from financial gain to personal spite (as with this grocery store employee who leaked staff data) or voyeurism (as with this Yahoo engineer who accessed women’s nudes including those of women he knew personally). Employees will often commit their crimes after they’ve left the company, if administrators are lax about revoking system access.

How to protect yourself

Companies will tell you they take privacy seriously, and many do.

The standard defenses by companies against insider threats are well known: least-privilege access controls, multi-factor authentication, continuous monitoring of user behavior, and regular security audits. But the Meta case suggests that someone determined enough and technical enough to write their own tools can still sometimes circumvent those defenses.

So what can users do?

Store your most sensitive data (like private images) in a secure, password-protected environment. If a service doesn’t offer strong controls, it’s worth asking whether you’re comfortable trusting everyone who might have access behind the scenes.

Check out how to reduce your digital footprint and limit the info scammers and extortionists can use against you.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/data-breaches/2026/04/30000-private-facebook-images-allegedly-downloaded-by-meta-employee