|My LinkedIn network, visualized (Photo credit: For Inspiration Only)|
LINKEDIN CORPORATION, a Delaware corporation, Defendant.
Plaintiff Katie Szpyrka, by and through her attorneys, upon personal knowledge as to herself and her own acts, and upon information and belief as to all other matters, alleges as follows:
2. LinkedIn is an Internet company that owns and operates the website www.LinkedIn.com -- a social networking website with over 120 million registered users worldwide.
4. Sometime this year, hackers infiltrated LinkedIn's servers and accessed database(s) containing its users' PII. After retrieving this data, the hackers publicly posted over 6 million LinkedIn users' passwords online. Because LinkedIn used insufficient encryption methods to secure the user data, hackers were able to easily decipher a large number of the passwords.
5. While some security threats are unavoidable in a rapidly developing technological environment, LinkedIn's failure to comply with long standing industry standard encryption protocols jeopardized its users' PII, and diminished the value of the services provided by Defendant -- as guaranteed by its own contractual terms.
6. Plaintiff Katie Szpyrka is a natural person and resident of the State of Illinois. Plaintiff is a registered user of LinkedIn's services.
7. Defendant LinkedIn Corporation is a corporation incorporated and existing under the laws of the State of Delaware, with its principal place of business at 2029 StierIin Court, Mountain View, California 94043. LinkedIn does business throughout the State of California and the United States.
10. LinkedIn's website states that it “operates the world's largest professional network on the Internet with more than 120 million members in over 200 countries and territories [and] represents a valuable demographic for marketers with an affluent & influential membership.”[FN2]
11. A customer may sign up for a membership at www.LinkedIn.com by providing a valid e-mail address and a registration password. LinkedIn then stores these credentials in databases located on its servers. Once registered, users build personal “profiles” by providing LinkedIn with various types of demographic, occupational, and cultural information, including employment and educational history.
12. Defendant also offers users the ability to upgrade to a paid “premium” account, with prices ranging from $19.95 to $99.95 per month.
14. Importantly, Plaintiff and the Class members relied on LinkedIn's representation that it uses “industry standard protocols and technology” to preserve the integrity and security of their personal information in agreeing to create an account and provide their PII to the company, and when deciding to purchase “premium” accounts.LinkedIn Fails to Properly Encrypt its Users' PII
16. However, and despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilize basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed[FN3] format. The problem with this practice is two-fold. First, SHA-1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users' passwords in hashed format without first “salting” the password runs afoul of conventional data protection methods, and poses significant risks to the integrity users' sensitive data.
FN3. In simplest terms for purposes of this Complaint, “hashing” refers to the process by which a password is inputted into a cryptographic hash function and converted into an unreadable, encrypted format.
17. Industry standards require at least the additional process of adding “salt” to a password before running it through a hashing function -- a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password.
18. More common standard practice is to salt passwords before inputting them into a hash function, to then salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information. Defendant's data protection procedures fall well short of this level of security.
20. Preliminary reports indicate that LinkedIn's servers were breached through a common hacking method known as an “SQL injection” attack. This hacking technique involves exploiting weaknesses existing in a company's website to penetrate deeper into back-end servers that contain databases of sensitive user information.
21. If true, LinkedIn's failure to adequately protect its website against SQL injection attacks -- in conjunction with improperly securing its users' PII -- would demonstrate that the company employed a troubling lack of security measures.
22. In fact, the Federal Trade Commission (“FTC”) has filed complaints against corporations claiming to secure customer data while remaining vulnerable to SQL injection attacks.[FN4] In the referenced case, the FTC filed a complaint in 2003 against the “Guess?” clothing company. The complaint alleges that despite a posted policy ensuring reasonable Internet security measures, “Guess?” stored customers' PII in an unencrypted database concomitantly with poor website security. The FTC argued that these practices constituted unfair or deceptive practices affecting commerce in violation of federal law.
FN4. In the Matter of Guess?, Inc. and Guess.com Inc., (Case No. C-4091) (FTC, July 30, 2003) (available at http:// www.ftc.gov/os/2003/08/guesscomp.pdf).
23. Moreover, the National Institute of Standards and Technology (“NIST”) provides basic network security checklists that enumerate steps to avoid SQL injection vulnerabilities.[FN5] The failure of a large company tasked with protecting millions of users' PII, such as LinkedIn, to act pursuant to these basic security checklists would further belie its assertion that it employed industry standard protocols and technology to secure its customers' PII.
FN5. National Checklist Program Repository, http://checklists.nist.gov (last visited June 14, 2012).
24. Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm. For example, a hacker still might be able cause temporary internal havoc in the operation of the website, or “vandalize” the appearance of pages by altering its code, he would not be able to access user databases. Moreover, if LinkedIn used appropriate encryption methods -- yet failed to secure its database -- the stolen PII would be useless, as it would be indecipherable.
25. On June 6, 2012, a list of approximately 6.5 million hashed passwords retrieved from LinkedIn's database was publicly posted online by hackers. Because the passwords were only hashed with a weak hashing function (and not salted), individuals were able to quickly decipher a large contingency of the posted passwords in a matter of hours. It quickly became apparent that the passwords belonged to LinkedIn users.
26. Only after third party observers publicly announced the origin of the password list did LinkedIn become aware that its security had been breached and that confidential information had been removed. Initially, LinkedIn publicly responded by stating, “Our security team continues to investigate this morning's reports of stolen passwords. At this time, we're still unable to confirm that any security breach has occurred.”[FN6]
FN6. Updating Your Password on LinkedIn and Other Account Security Best Practices, http://blog.linkedin.com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/(last visited June 12, 2012).
27. However, on June 9, 2012, LinkedIn admitted that it was not handling user data in accordance with best practices. LinkedIn stated that “one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we'll be releasing additional enhancements to better protect our members.”[FN7] But these actions were too little too late -- LinkedIn's transition to more stringent data protection practices clearly occurred after its servers were breached, as the passwords publicly posted were, by its own admission, only hashed.
FN7. An Update On Taking Steps To Protect Our Members, http:// blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/ (last visited June 12, 2012).
28. That LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn't adhere to industry standards. Specifically, LinkedIn did not implement, or it poorly implemented, an intrusion detection system to properly identify and quickly respond to attacks on its servers.LinkedIn's Business Model
29. LinkedIn offers products and services in the form of online applications to be used in conjunction with online social networks.
30. LinkedIn's consumers pay for LinkedIn's products and services both with actual dollars and with their PII. Put another way, in addition to a more conventional subscription fee, “free” account users buy products and services by paying LinkedIn in the form of contact information (first name, last name, and an email address). Put yet another way, LinkedIn users provide something valuable -- access to their personal information -- in exchange for LinkedIn's products and services, which include LinkedIn's promise to employ industry standard protocols and technology to safeguard their PII.
31. Even for customers that it does not directly charge using traditional legal tender, LinkedIn is able to generate earnings from users through the receipt of their personal information. LinkedIn describes itself as a “unique social application-based advertising network.” In other words, LinkedIn makes money by selling targeted advertising space, similar to a newspaper or television program.
32. But unlike traditional newspaper or television marketing, LinkedIn is a particularly attractive advertising platform because it possesses detailed demographic information that may be used to direct highly targeted ads to its customers.
34. During the relevant time period, Plaintiff Katie Szpyrka was a registered account holder with LinkedIn. She registered with LinkedIn in or around late 2010.
35. Beyond simply being a registered user of LinkedIn, Plaintiff additionally paid a monthly fee to use LinkedIn's upgraded services. From approximately late 2010 to November 2011 she paid $24.95 per month, and from December 2011 to the present she has paid $26.95 per month.
36. In signing up to utilize LinkedIn, Plaintiff submitted her first name, last name, e-mail address and a unique password to LinkedIn.
38. Plaintiff Katie Szpyrka brings this action pursuant to Fed. R. Civ. P. 23(b)(2) and (3) on behalf of herself and a Class and SubClass of similarly situated individuals, defined as
LinkedIn User Class: All individuals and entities in the United States who had a LinkedIn account on or before June 6, 2012.
Upgraded LinkedIn User SubClass: All LinkedIn User Class Members who paid a monthly fee to LinkedIn for an upgraded account.
Excluded from the Class and SubClass are: 1) any Judge or Magistrate presiding over this action and members of their families; 2) Defendant, Defendant's subsidiaries, parents, successors, predecessors, and any entity in which the Defendant or its parents have a controlling interest and their current or former employees, officers and directors; 3) counsel for Plaintiff and Defendant; 4) persons who properly execute and file a timely request for exclusion from the class; 5) the legal representatives, successors or assigns of any such excluded persons; and 6) all persons who have previously had claims similar to those alleged herein finally adjudicated or who have released their claims against Defendant; 7) as well as any individual who contributed to the unauthorized access of LinkedIn's database.
39. The exact number of Class and SubClass members is unknown to Plaintiff at this time, but on information and belief, there are hundreds of thousands of persons in the Class and SubClass, making joinder of each individual member impracticable. Ultimately, Class and SubClass members will be easily identified through Defendant's records.
40. Plaintiff's claims are typical of the claims of all of the other members of the Class and SubClass.
41. Plaintiff will fairly and adequately represent and protect the interests of the other members of the Class and SubClass. Plaintiff has retained counsel with substantial experience in prosecuting complex litigation and class actions. Plaintiff and her counsel are committed to vigorously prosecuting this action on behalf of the members of the Class and SubClass, and have the financial resources to do so. Neither Plaintiff nor her counsel have any interest adverse to those of the other members of the Class and SubClass.
42. Absent a class action, most members of the Class would find the cost of litigating their claims to be prohibitive and will have no effective remedy. The class treatment of common questions of law and fact is also superior to multiple individual actions or piecemeal litigation in that it conserves the resources of the courts and the litigants, and promotes consistency and efficiency of adjudication.
43. LinkedIn has acted and failed to act on grounds generally applicable to Plaintiff and the other members of the Class and SubClass, requiring the Court's imposition of uniform relief to ensure compatible standards of conduct toward the members of the Class and SubClass.
44. The factual and legal bases of LinkedIn's liability to Plaintiff and to the other members of the Class and SubClass are the same and resulted in injury to Plaintiff and all of the other members of the Class. Plaintiff and the other members of the Class and SubClass have all suffered harm as a result of LinkedIn's wrongful conduct.
45. There are many questions of law and fact common to the claims of Plaintiff and the other members of the Class and SubClass, and those questions predominate over any questions that may affect individual members of the Class and SubClass. Common questions for the Class and SubClass include but are not limited to the following:
(a) whether LinkedIn failed to protect users' PII with industry standard protocols and technology;
(b) whether storing user e-mails and passwords in a partially unencrypted format complied with industry standard protocols and technology;
(c) whether LinkedIn's conduct described herein violated the Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq. );
(d) whether LinkedIn's conduct describe herein violated the California Legal Remedies Act (Cal. Civ. Code §§ 1750, et seq. );
(e) whether LinkedIn's conduct described herein constitutes a breach of contract;
(f) whether LinkedIn's conduct described herein constitutes breach of the implied covenants of good faith and fair dealing;
(g) whether LinkedIn's conduct described herein constitutes breach of implied contracts;
(h) whether LinkedIn's conduct described herein was negligent and/or grossly negligent; and,
(i) whether LinkedIn's conduct described herein constitutes negligence per se.
46. Plaintiff reserves the right to revise the definitions of the Class and SubClass based on further investigation, including facts learned in discovery.
WHEREFORE, Plaintiff, individually and on behalf of the Class and SubClass, prays for the following relief:
A. Certify this case as a class action on behalf of the Class and SubClass defined above, appoint Katie Szpyrka as Class and SubClass representative, and appoint her counsel as Class and SubClass counsel;
B. Declare that LinkedIn's actions, as described herein, violate the California Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.) and the Consumer Legal Remedies Act (Cal. Bus. & Prof. Code §§ 1750), and constitute breach of contract, or in the alternative, breach of the implied covenant of good faith and fair dealing, or in the alternative, breach of implied contract, as well as negligence and negligence per se.
C. Awarding injunctive and other equitable relief as is necessary to protect the interests of Plaintiff the other Class and SubClass members, including, inter alia: (i) an order prohibiting LinkedIn from engaging in the wrongful and unlawful acts described herein; (ii) ensuring that LinkedIn user data does not appear in Internet search engines; and (iii) requiring LinkedIn to protect all data collected through the course of its business in accordance with industry standards;
D. Award damages to Plaintiff and the other Class and SubClass members in an amount to be determined at trial;
E. Award Plaintiff and the other Class and SubClass members their reasonable litigation expenses and attorneys' fees;
F. Award Plaintiff and the other Class and SubClass members pre- and post-judgment interest, to the extent allowable; and
G. Award such other and further relief as equity and justice may require.