Legal battle over LinkedIn breach could be costly

In addition to legal costs, the social networking site's brand could be hurt if the case is not settled quickly

Wed, June 27, 2012

CSO — LinkedIn, the professional social networking site facing a $5 million-plus lawsuit for a massive breach earlier this month, may win its impending legal battle. But victory will probably not come cheap. Legal bills mount up quickly, especially with an "aggressive" defense, which LinkedIn has promised.

Unless the suit, filed on behalf of lead plaintiff Katie Szpyrka and a potential cast of millions of other coplaintiffs, is settled quickly and quietly, it is likely to provide regular public reminders, for months or possibly years, of what happened and why. That, as marketing people say, is not good for "brand identity."

The 6.5 million member passwords, which were posted on a Russian hacker forum, had been easily decrypted because LinkedIn was using only a rudimentary hashing algorithm that is not even close to the current industry standard.

And that encryption weakness is what the lawsuit cites repeatedly in its seven allegations, including violation of California business and professional code; violations of California civil code; breach of contract; breach of the implied covenant of good faith and fair dealing; breach of implied contracts; negligence; and negligence per se.

[See also: Companies focus on growth, lagging behind threat]

Szpyrka, listed on LinkedIn as a senior associate at the Chicago offices of UGL Equis, a global real estate firm focused on business clients, is represented by Sean P. Reis of Edelson McGuire LLP, a law firm in Rancho Santa Margarita, Calif. The suit is seeking certification as a class-action lawsuit on behalf of all LinkedIn users compromised by the hack.

The suit doesn't allege violations of any specific cybersecurity law, but complains that the company violated its own privacy policy, which asserts that it will, "safeguard its users sensitive PII (personally identifiable information), specifically that: 'All information you provide will be protected with industry standard protocols and technology.'"

By its own admission, LinkedIn was not in compliance with the industry standard, which is to "salt" the hashes -- merge the hashed passwords with another combination and then hash them for a second time.

LinkedIn, however, invokes the classic defense in data breach cases to contend the suit is "without merit."

LinkedIn spokeswoman Erin O'Harra told Cameron Scott of the IDG News Service: "No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation."

So, now that the dueling sound bites have been issued, how vulnerable is LinkedIn really?

Continue Reading

Our Commenting Policies