Facebook faced a civil penalty of up to $1.7 billion after the attorney general for Washington, DC filed a lawsuit against the social media giant, accusing it of misleading users about the security of their data.

The complaint alleged Facebook’s lack of oversight, failure to properly vet third-party apps and confusing privacy settings put users’ data at risk, eventually allowing one of those apps to harvest and sell the personal information of millions of users to data mining company Cambridge Analytica without their consent.

Facebook subsequently failed to disclose the breach to users for two years and didn’t take proper steps to ensure improperly obtained data was deleted by Cambridge Analytica, it added.

The attorney general’s office stated the lawsuit aims to force Facebook to put into place “protocols and safeguards to monitor users’ data” and make it easier to navigate privacy settings. It also seeks up to $5,000 in recompense for each of the 340,000 Facebook users in the US state impacted by the breach.

During a call with reporters, Washington, DC attorney general Karl Racine said “our goal with this lawsuit is to obtain relief for harmed consumers who were exploited because of Facebook’s failure to protect their personal information and to make sure this does not happen again”.

“We hope this lawsuit will ensure that Facebook takes better care with consumers’ data and also serves as a broader warning to other social networking and other online companies that they have a legal duty to take the utmost care to safeguard individuals’ information from fraud and exploitation.”

Facebook is also facing an investigation from the US Federal Trade Commission over the Cambridge Analytica breach.

In a statement to Reuters, Facebook said it was reviewing the complaint and would discuss the matter with Racine and other attorney generals.