Ex-Meta engineer investigated for accessing over 30,000 private Facebook photos.

      In summary: A former Meta engineer based in London is facing a criminal investigation after reportedly creating a program to extract approximately 30,000 private Facebook images, circumventing the platform’s security measures. This incident is part of a troubling trend of privacy and security issues at the company over the last four years.

      Meta's internal security systems are intended to prevent such misuse: unauthorized access to user data by those who developed the platform. However, according to the Metropolitan Police and the Press Association, these systems failed in this instance. A man in his 30s, a former Meta engineer residing in London, was arrested in November 2025 on charges of unlawful access to computer data under the Computer Misuse Act. He has been released on bail and is scheduled to report to police in May 2026. The case, which came to public attention this week, is now being handled by the Metropolitan Police's Cybercrime Unit following a referral from the FBI.

      Alleged method of the breach

      The engineer is thought to have developed a program capable of accessing private images from Facebook accounts while avoiding Meta's security measures intended to detect unusual internal access. Investigators claim this led to the extraction of about 30,000 photos belonging to users who had not made those images publicly available. Meta informed the BBC that the breach was identified more than a year ago, prior to April 2025, after which the company stated it promptly terminated the employee and reported the situation to law enforcement.

      Neither Meta nor the Metropolitan Police have publicly revealed the details of how the program managed to evade detection. The timeline shows that several months passed between the discovery of the breach and the man's arrest in November 2025, indicating a cross-jurisdictional investigation that included coordination with the FBI prior to the case being handed over to UK authorities. Meta has since informed the Facebook users whose images were accessed and has enhanced its security measures to rectify the vulnerability.

      A history of security issues

      The ongoing investigation compounds a lengthy record of privacy and security challenges that have plagued Meta for years, which regulators have deemed serious enough to impose substantial fines. During 2025, Meta invested tens of billions into expanding its AI infrastructure, but this has not shielded the company from accumulating significant regulatory liabilities.

      In November 2022, the Irish Data Protection Commission, serving as Meta's primary GDPR regulator in the EU, imposed a €265 million fine after a data scraping investigation uncovered personal information from around 533 million Facebook users. This data, which included names, phone numbers, and email addresses, was found on an online hacking forum in April 2021. The DPC concluded that Meta had failed to implement necessary data protection measures as mandated by Articles 25(1) and 25(2) of the GDPR.

      Two years later, in September 2024, the same regulator issued another fine of €91 million after discovering that Meta had unintentionally stored the passwords of approximately 600 million Facebook and Instagram users in plaintext format on its internal systems, without any encryption or cryptographic safeguards. Although the passwords were never exposed externally, the failure to secure them internally breached multiple GDPR provisions including the essential obligation to implement suitable technical security measures. Together, these two fines total €356 million imposed by a single European regulator within a three-year timeframe.

      Meta is also under increasing legal scrutiny concerning its platform designs. In March 2026, a jury in Los Angeles found Meta and Google liable in a landmark social media safety trial, determining that Instagram and YouTube were designed in ways that endangered younger users, with the companies being aware of these risks and failing to adequately inform users about potential harm. The plaintiff, a 20-year-old woman known publicly as Kaley, was awarded $6 million in damages, consisting of $3 million in compensatory damages and $3 million in punitive damages, with Meta responsible for 70% of the overall liability. Both companies have stated their disagreement with the verdict and plan to appeal.

      The challenge of insider threats

      The investigation in London highlights a particular risk that large tech platforms struggle to manage: the trusted insider. External breaches, where attackers infiltrate systems from outside, can be mitigated using firewalls, rate limiting, and anomaly detection. However, the issue with insider threats is that the individual probing the systems has legitimate access and may know precisely how to bypass monitoring systems.

      Meta's assertion that it identified the breach and acted swiftly—terminating the employee and referring the case to law enforcement—indicates that its internal controls eventually recognized the unusual activity, even if they did not prevent it from occurring. What remains unclear is the duration the extraction program operated undetected and how 30,000 images managed to exit the platform without triggering an immediate alert. These questions are likely to be part of the Metropolitan Police's investigation, along with any potential criminal charges that the Crown Prosecution Service may pursue after the bail period ends.

      For the Facebook users whose private images were accessed, the notification from