Woman Sues LinkedIn for $5 Million Over Data Breach

Less than two weeks after learning more than 6 million stolen LinkedIn passwords were posted online, an Illinois woman is leading a class-action lawsuit against the professional networking site for using inadequate security tools to protect its members’ data.Katie Szpyrka, who registered for a LinkedIn account in 2010, filed the lawsuit last week in U.S. District Court in Northern California. In the complaint, she claims LinkedIn violated its own privacy policy in failing to use industry standards to protect personally identifiable information.

Less than two weeks after learning more than 6 million stolen LinkedIn passwords were posted online, an Illinois woman is leading a class-action lawsuit against the professional networking site for using inadequate security tools to protect its members’ data.

Katie Szpyrka, who registered for a LinkedIn account in 2010, filed the lawsuit last week in U.S. District Court in Northern California. In the complaint, she claims LinkedIn violated its own privacy policy in failing to use industry standards to protect personally identifiable information.

The company encrypted passwords with a SHA-1 algorithm but neglected to salt the passwords before storing them. The salt makes it more difficult to determine the protected data. Preliminary reports also show hackers used a SQL injection attack to access the databases through the company’s Web site, according to the lawsuit.

“LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker by bypassing its outer layer of security,” the complaint states. “In so doing, defendant violated its privacy policy’s promise to comply with industry standard protocols and technology for data security. … Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn’s network, he would be limited in his ability to inflict harm.”

The lawsuit also faults LinkedIn for not alerting users soon enough.

“Only after third party observers publicly announced the origin of the password list did LinkedIn become aware that its security had been breached and that confidential information had been removed. Initially, LinkedIn publicly responded by stating, ‘Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred.'”

On June 9, the company admitted it was not handling user data in accordance with best practices, the suit said.

“That LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn’t adhere to industry standards. Specifically, LinkedIn did not implement, or it poorly implemented, an intrusion detection system to properly identify and quickly respond to attacks on its servers.”

Within days of an announcement, LinkedIn officials said it sent e-mails to breach victims, which represent a small percentage of its 120 million user base. But an anti-spam technology provider discovered about 250,000 of those impacted had flagged the official password reset notification as spam. Some found the message suspicious because of its timing and lack of detail; others routinely sent LinkedIn e-mail to spam folders to control the volume received.

A LinkedIn spokeswoman told Reuters today that the lawsuit was without merit.

“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured,” Erin O’Harra said. “Therefore, it appears that these  threats are driven by lawyers looking to take advantage of the  situation. We believe these claims are without merit, and we will defend  the company vigorously against suits trying to leverage third-party  criminal behavior.”

Szpyrka, who maintained a premium LinkedIn account for about $26 a month, is represented by the firm Edelson McGuire, which on March 28 obtained a settlement against social gaming company RockYou over a 2009 data breach. RockYou denied any wrongdoing but agreed to pay Edelson almost $300,000 in legal fees.

Szpyrka is suing for $5 million or more in damages. Causes for action include (a) violation of California’s Unfair Competition Law for failing to properly safeguard sensitive personally identifiable information; (b) violation of the state’s Consumers Legal Remedies Act by stating it used industry standards when it did not; (c) breach of implied and actual contracts, implied good faith and fair dealing; and (d) negligence.

Suggested articles

Discussion

  • Anonymous on

    People will do anything for money. I use the site for free and really do not expect much from a free service. 

  • Anonymous on

    Just another person, or people, trying to get their names in the headlines. In fact, I believe from the original articles on this she works for the law firm underatking the lawsuit. So I'd say its all about a bit of free advertising....because really $5m for a class action?? That would be less than $1 per person and even less after the attorney take their cut.

  • Anonymous on

    Another money grabber through legal system. The money you take from LinkedIn could be better spent on their upgraded security than lining the pockets of people whom create a lawsuit. 

    Anyway, salted passwords can be cracked. In fact, almost any encryption can be reversed. Yes LinkedIn should use something better but still, even if they did salt them it doesn't make any difference. 

    SQL injection is a bit worrying, that should be audited. Saying that, as a developer it can be sometimes easy to rember to sanatize everything on input and output. 

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.