Less than two weeks after learning more than 6 million stolen LinkedIn passwords were posted online, an Illinois woman is leading a class-action lawsuit against the professional networking site for using inadequate security tools to protect its members’ data.
Katie Szpyrka, who registered for a LinkedIn account in 2010, filed the lawsuit last week in U.S. District Court in Northern California. In the complaint, she claims LinkedIn violated its own privacy policy in failing to use industry standards to protect personally identifiable information.
The company encrypted passwords with a SHA-1 algorithm but neglected to salt the passwords before storing them. The salt makes it more difficult to determine the protected data. Preliminary reports also show hackers used a SQL injection attack to access the databases through the company’s Web site, according to the lawsuit.
“LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker by bypassing its outer layer of security,” the complaint states. “In so doing, defendant violated its privacy policy’s promise to comply with industry standard protocols and technology for data security. … Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn’s network, he would be limited in his ability to inflict harm.”
The lawsuit also faults LinkedIn for not alerting users soon enough.
“Only after third party observers publicly announced the origin of the password list did LinkedIn become aware that its security had been breached and that confidential information had been removed. Initially, LinkedIn publicly responded by stating, ‘Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred.'”
On June 9, the company admitted it was not handling user data in accordance with best practices, the suit said.
“That LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn’t adhere to industry standards. Specifically, LinkedIn did not implement, or it poorly implemented, an intrusion detection system to properly identify and quickly respond to attacks on its servers.”
Within days of an announcement, LinkedIn officials said it sent e-mails to breach victims, which represent a small percentage of its 120 million user base. But an anti-spam technology provider discovered about 250,000 of those impacted had flagged the official password reset notification as spam. Some found the message suspicious because of its timing and lack of detail; others routinely sent LinkedIn e-mail to spam folders to control the volume received.
A LinkedIn spokeswoman told Reuters today that the lawsuit was without merit.
“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured,” Erin O’Harra said. “Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”
Szpyrka, who maintained a premium LinkedIn account for about $26 a month, is represented by the firm Edelson McGuire, which on March 28 obtained a settlement against social gaming company RockYou over a 2009 data breach. RockYou denied any wrongdoing but agreed to pay Edelson almost $300,000 in legal fees.
Szpyrka is suing for $5 million or more in damages. Causes for action include (a) violation of California’s Unfair Competition Law for failing to properly safeguard sensitive personally identifiable information; (b) violation of the state’s Consumers Legal Remedies Act by stating it used industry standards when it did not; (c) breach of implied and actual contracts, implied good faith and fair dealing; and (d) negligence.