Northern California U.S. District Judge Edward Davila wrote that the two class-action defendents were unable to prove actual – and not theoretical – harm from the 2012 data breach in which passwords for 6.5 million user accounts were compromised and posted online. The data breach came to light in June 2012 and within weeks, a lawsuit was filed by Illinois resident Katie Szpyrka and days later by Khalilah Wright of Virginia.
The two sued shortly after learning that the company used encrypted user passwords using the outdated SHA-1 algorithm and without salting them to elevate their protection.
The two had sought compensation for what they considered a breach of contract in that the company had not taken appropriate security measures to ensure the safety of user passwords, especially those who paid monthly for a premium upgrade. They claimed they would not have purchased the upgrade had they known the encryption was the same as the free version.
“Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members. Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services,” Davila wrote.
Additionally, Davila said the economic loss alleged from the breach could not be proven. He also rejected an additional claim by Wright that posting her password on the Internet posed a future risk of identity theft and the financial reprecussions that posed.
“Plaintiff Wright merely alleges that her LinkedIn password was ‘publically posted on the Internet on June 6, 2012.’ … In doing so, Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.”