Banking data for 29,000 Facebook employees, which was stored on unencrypted hard drives, was stolen by a thief from a payroll worker’s car, according to a Bloomberg report. The hard drives contained information on thousands of US workers who were employed by Facebook in 2018, including bank account numbers, employee names, the last four digits of their social security numbers, their salaries, bonuses, and equity details. Facebook notified its staff of the theft via email Friday morning.

Though the stolen drives didn’t contain any Facebook user data, the theft still raises questions about Facebook’s level of caution around personal data, which seems shockingly low considering its history of user privacy scandals. The company also failed to notify employees until almost a full month after the break-in occurred on November 17th. An internal email revealed the company only realized the hard drives were missing on November 20th, and confirmed that the drives contained employee information on November 29th. The company is still working with police to recover the stolen hard drives, and is offering its employees two-year subscriptions to an identity theft protection service.

a shockingly low level of caution for personal data, even for its own employees

“We have seen no evidence of abuse and believe this was a smash and grab crime rather than an attempt to steal employee information,” a Facebook spokesperson shared in a statement to Bloomberg.

It’s not clear why the hard drives were being transported in the first place, as the employee wasn’t supposed to have taken them out of the office. It’s also horrifying that the hard drives storing personal information were unencrypted, especially given the amount of car theft in the Bay Area, where Facebook employees live and work. The spokesperson says Facebook has taken “appropriate disciplinary action.”

You can read the full Bloomberg report here.