Saturday, June 23, 2012

Risk Management: LinkedIn security breach predictably generates a class-action suit

My LinkedIn network, visualized
My LinkedIn network, visualized (Photo credit: For Inspiration Only)

United States District Court, N.D. California.
Katie SZPYRKA, individually and on behalf of all others similarly situated, Plaintiff,
LINKEDIN CORPORATION, a Delaware corporation, Defendant.
No. CV 12 3088 HRL.
June 15, 2012.
Demand for Jury Trial

Class Action Complaint for: (1) Violations of Cal. Bus. & Prof. Code § 17200; (2) Violations of Cal. Civ. Code § 1750; (3) Breach of Contract; (4) Breach of the Implied Covenant of Good Faith and Fair Dealing; (5) Breach of Implied Contracts; (6) Negligence; (7) Negligence Per Se

Plaintiff Katie Szpyrka, by and through her attorneys, upon personal knowledge as to herself and her own acts, and upon information and belief as to all other matters, alleges as follows:


1. Plaintiff Katie Szpyrka brings this class action complaint against LinkedIn Corporation (“LinkedIn”) for failing to properly safeguard its users' digitally stored personally identifiable information (“PII”), including e-mail addresses, passwords, and login credentials. LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize long-standing industry standard protocols and technology to protect Plaintiff and the Class members' PII.
2. LinkedIn is an Internet company that owns and operates the website -- a social networking website with over 120 million registered users worldwide.
3. Through its Privacy Policy, LinkedIn promises its users that “[a]ll information that [they] provide [to LinkedIn] will be protected with industry standards protocols and technology,”[FN1] In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' PII in its servers' databases in a weak encryption format, and without implementing other crucial security measures.
FN1. LinkedIn “Privacy Policy,” policy&trk=hb_ft_priv (last visited June 12, 2012).
4. Sometime this year, hackers infiltrated LinkedIn's servers and accessed database(s) containing its users' PII. After retrieving this data, the hackers publicly posted over 6 million LinkedIn users' passwords online. Because LinkedIn used insufficient encryption methods to secure the user data, hackers were able to easily decipher a large number of the passwords.
5. While some security threats are unavoidable in a rapidly developing technological environment, LinkedIn's failure to comply with long standing industry standard encryption protocols jeopardized its users' PII, and diminished the value of the services provided by Defendant -- as guaranteed by its own contractual terms.


6. Plaintiff Katie Szpyrka is a natural person and resident of the State of Illinois. Plaintiff is a registered user of LinkedIn's services.
7. Defendant LinkedIn Corporation is a corporation incorporated and existing under the laws of the State of Delaware, with its principal place of business at 2029 StierIin Court, Mountain View, California 94043. LinkedIn does business throughout the State of California and the United States.



10. LinkedIn's website states that it “operates the world's largest professional network on the Internet with more than 120 million members in over 200 countries and territories [and] represents a valuable demographic for marketers with an affluent & influential membership.”[FN2]
FN2. LinkedIn “About Us,” (last visited June 12, 2012).
11. A customer may sign up for a membership at by providing a valid e-mail address and a registration password. LinkedIn then stores these credentials in databases located on its servers. Once registered, users build personal “profiles” by providing LinkedIn with various types of demographic, occupational, and cultural information, including employment and educational history.
12. Defendant also offers users the ability to upgrade to a paid “premium” account, with prices ranging from $19.95 to $99.95 per month.
13. Regardless of whether a user signs up for a free or premium account, LinkedIn asserts through its Privacy Policy that it will safeguard its users' sensitive PII, specifically that: “All information that you provide will be protected with industry standard protocols and technology.” Plaintiff and the Class agreed to LinkedIn's User Agreement and Privacy Policy in order to register and use LinkedIn's services.
14. Importantly, Plaintiff and the Class members relied on LinkedIn's representation that it uses “industry standard protocols and technology” to preserve the integrity and security of their personal information in agreeing to create an account and provide their PII to the company, and when deciding to purchase “premium” accounts.
LinkedIn Fails to Properly Encrypt its Users' PII

15. As introduced above, LinkedIn digitally stores millions of users' PII in a large-scale commercial database on its servers, and promises through its Privacy Policy that it uses “industry standard protocols and technology” to protect such PII.
16. However, and despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilize basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed[FN3] format. The problem with this practice is two-fold. First, SHA-1 is an outdated hashing function, first published by the National Security Agency in 1995. Secondly, storing users' passwords in hashed format without first “salting” the password runs afoul of conventional data protection methods, and poses significant risks to the integrity users' sensitive data.
FN3. In simplest terms for purposes of this Complaint, “hashing” refers to the process by which a password is inputted into a cryptographic hash function and converted into an unreadable, encrypted format.
17. Industry standards require at least the additional process of adding “salt” to a password before running it through a hashing function -- a process whereby random values are combined with a password before the text is input into a hashing function. This procedure drastically increases the difficulty of deciphering the resulting encrypted password.
18. More common standard practice is to salt passwords before inputting them into a hash function, to then salt the resulting hash value, and again run the hash value through a hashing function. Finally, that fully encrypted password is stored on a separate and secure server apart from all other user information. Defendant's data protection procedures fall well short of this level of security.
19. LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security. In so doing, Defendant violated its Privacy Policy's promise to comply with industry standard protocols and technology for data security.
The Attack on LinkedIn's Database

20. Preliminary reports indicate that LinkedIn's servers were breached through a common hacking method known as an “SQL injection” attack. This hacking technique involves exploiting weaknesses existing in a company's website to penetrate deeper into back-end servers that contain databases of sensitive user information.
21. If true, LinkedIn's failure to adequately protect its website against SQL injection attacks -- in conjunction with improperly securing its users' PII -- would demonstrate that the company employed a troubling lack of security measures.
22. In fact, the Federal Trade Commission (“FTC”) has filed complaints against corporations claiming to secure customer data while remaining vulnerable to SQL injection attacks.[FN4] In the referenced case, the FTC filed a complaint in 2003 against the “Guess?” clothing company. The complaint alleges that despite a posted policy ensuring reasonable Internet security measures, “Guess?” stored customers' PII in an unencrypted database concomitantly with poor website security. The FTC argued that these practices constituted unfair or deceptive practices affecting commerce in violation of federal law.
FN4. In the Matter of Guess?, Inc. and Inc., (Case No. C-4091) (FTC, July 30, 2003) (available at http://
23. Moreover, the National Institute of Standards and Technology (“NIST”) provides basic network security checklists that enumerate steps to avoid SQL injection vulnerabilities.[FN5] The failure of a large company tasked with protecting millions of users' PII, such as LinkedIn, to act pursuant to these basic security checklists would further belie its assertion that it employed industry standard protocols and technology to secure its customers' PII.
FN5. National Checklist Program Repository, (last visited June 14, 2012).
24. Had LinkedIn used proper encryption methods, and a hacker were able to penetrate LinkedIn's network, he would be limited in his ability to inflict harm. For example, a hacker still might be able cause temporary internal havoc in the operation of the website, or “vandalize” the appearance of pages by altering its code, he would not be able to access user databases. Moreover, if LinkedIn used appropriate encryption methods -- yet failed to secure its database -- the stolen PII would be useless, as it would be indecipherable.
25. On June 6, 2012, a list of approximately 6.5 million hashed passwords retrieved from LinkedIn's database was publicly posted online by hackers. Because the passwords were only hashed with a weak hashing function (and not salted), individuals were able to quickly decipher a large contingency of the posted passwords in a matter of hours. It quickly became apparent that the passwords belonged to LinkedIn users.
26. Only after third party observers publicly announced the origin of the password list did LinkedIn become aware that its security had been breached and that confidential information had been removed. Initially, LinkedIn publicly responded by stating, “Our security team continues to investigate this morning's reports of stolen passwords. At this time, we're still unable to confirm that any security breach has occurred.”[FN6]
FN6. Updating Your Password on LinkedIn and Other Account Security Best Practices, visited June 12, 2012).
27. However, on June 9, 2012, LinkedIn admitted that it was not handling user data in accordance with best practices. LinkedIn stated that “one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we'll be releasing additional enhancements to better protect our members.”[FN7] But these actions were too little too late -- LinkedIn's transition to more stringent data protection practices clearly occurred after its servers were breached, as the passwords publicly posted were, by its own admission, only hashed.
FN7. An Update On Taking Steps To Protect Our Members, http:// (last visited June 12, 2012).
28. That LinkedIn did not recognize its databases had been compromised until it was informed through public channels provides further evidence that the company didn't adhere to industry standards. Specifically, LinkedIn did not implement, or it poorly implemented, an intrusion detection system to properly identify and quickly respond to attacks on its servers.
LinkedIn's Business Model

29. LinkedIn offers products and services in the form of online applications to be used in conjunction with online social networks.
30. LinkedIn's consumers pay for LinkedIn's products and services both with actual dollars and with their PII. Put another way, in addition to a more conventional subscription fee, “free” account users buy products and services by paying LinkedIn in the form of contact information (first name, last name, and an email address). Put yet another way, LinkedIn users provide something valuable -- access to their personal information -- in exchange for LinkedIn's products and services, which include LinkedIn's promise to employ industry standard protocols and technology to safeguard their PII.
31. Even for customers that it does not directly charge using traditional legal tender, LinkedIn is able to generate earnings from users through the receipt of their personal information. LinkedIn describes itself as a “unique social application-based advertising network.” In other words, LinkedIn makes money by selling targeted advertising space, similar to a newspaper or television program.
32. But unlike traditional newspaper or television marketing, LinkedIn is a particularly attractive advertising platform because it possesses detailed demographic information that may be used to direct highly targeted ads to its customers.
33. If not for the inherent and quantifiable value of access to its users' personal data, LinkedIn could not sustain financial viability, as a considerable portion of its user base are not “premium” members, and thus do not pay monthly fees. Thus, the promises contained in its Privacy Policy concerning the safeguarding of consumer data that LinkedIn receives in exchange for its products and services are vital to its business and to its consumers.


34. During the relevant time period, Plaintiff Katie Szpyrka was a registered account holder with LinkedIn. She registered with LinkedIn in or around late 2010.
35. Beyond simply being a registered user of LinkedIn, Plaintiff additionally paid a monthly fee to use LinkedIn's upgraded services. From approximately late 2010 to November 2011 she paid $24.95 per month, and from December 2011 to the present she has paid $26.95 per month.
36. In signing up to utilize LinkedIn, Plaintiff submitted her first name, last name, e-mail address and a unique password to LinkedIn.
37. In creating an account with Defendant, Plaintiff agreed to LinkedIn's User Agreement and Privacy Policy, including the material term that “Personal information you provide will be secured in accordance with industry standards protocols and technology.”


38. Plaintiff Katie Szpyrka brings this action pursuant to Fed. R. Civ. P. 23(b)(2) and (3) on behalf of herself and a Class and SubClass of similarly situated individuals, defined as
LinkedIn User Class: All individuals and entities in the United States who had a LinkedIn account on or before June 6, 2012.
Upgraded LinkedIn User SubClass: All LinkedIn User Class Members who paid a monthly fee to LinkedIn for an upgraded account.
Excluded from the Class and SubClass are: 1) any Judge or Magistrate presiding over this action and members of their families; 2) Defendant, Defendant's subsidiaries, parents, successors, predecessors, and any entity in which the Defendant or its parents have a controlling interest and their current or former employees, officers and directors; 3) counsel for Plaintiff and Defendant; 4) persons who properly execute and file a timely request for exclusion from the class; 5) the legal representatives, successors or assigns of any such excluded persons; and 6) all persons who have previously had claims similar to those alleged herein finally adjudicated or who have released their claims against Defendant; 7) as well as any individual who contributed to the unauthorized access of LinkedIn's database.
39. The exact number of Class and SubClass members is unknown to Plaintiff at this time, but on information and belief, there are hundreds of thousands of persons in the Class and SubClass, making joinder of each individual member impracticable. Ultimately, Class and SubClass members will be easily identified through Defendant's records.
40. Plaintiff's claims are typical of the claims of all of the other members of the Class and SubClass.
41. Plaintiff will fairly and adequately represent and protect the interests of the other members of the Class and SubClass. Plaintiff has retained counsel with substantial experience in prosecuting complex litigation and class actions. Plaintiff and her counsel are committed to vigorously prosecuting this action on behalf of the members of the Class and SubClass, and have the financial resources to do so. Neither Plaintiff nor her counsel have any interest adverse to those of the other members of the Class and SubClass.
42. Absent a class action, most members of the Class would find the cost of litigating their claims to be prohibitive and will have no effective remedy. The class treatment of common questions of law and fact is also superior to multiple individual actions or piecemeal litigation in that it conserves the resources of the courts and the litigants, and promotes consistency and efficiency of adjudication.
43. LinkedIn has acted and failed to act on grounds generally applicable to Plaintiff and the other members of the Class and SubClass, requiring the Court's imposition of uniform relief to ensure compatible standards of conduct toward the members of the Class and SubClass.
44. The factual and legal bases of LinkedIn's liability to Plaintiff and to the other members of the Class and SubClass are the same and resulted in injury to Plaintiff and all of the other members of the Class. Plaintiff and the other members of the Class and SubClass have all suffered harm as a result of LinkedIn's wrongful conduct.
45. There are many questions of law and fact common to the claims of Plaintiff and the other members of the Class and SubClass, and those questions predominate over any questions that may affect individual members of the Class and SubClass. Common questions for the Class and SubClass include but are not limited to the following:
(a) whether LinkedIn failed to protect users' PII with industry standard protocols and technology;
(b) whether storing user e-mails and passwords in a partially unencrypted format complied with industry standard protocols and technology;
(c) whether LinkedIn's conduct described herein violated the Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq. );
(d) whether LinkedIn's conduct describe herein violated the California Legal Remedies Act (Cal. Civ. Code §§ 1750, et seq. );
(e) whether LinkedIn's conduct described herein constitutes a breach of contract;
(f) whether LinkedIn's conduct described herein constitutes breach of the implied covenants of good faith and fair dealing;
(g) whether LinkedIn's conduct described herein constitutes breach of implied contracts;
(h) whether LinkedIn's conduct described herein was negligent and/or grossly negligent; and,
(i) whether LinkedIn's conduct described herein constitutes negligence per se.
46. Plaintiff reserves the right to revise the definitions of the Class and SubClass based on further investigation, including facts learned in discovery.



WHEREFORE, Plaintiff, individually and on behalf of the Class and SubClass, prays for the following relief:
A. Certify this case as a class action on behalf of the Class and SubClass defined above, appoint Katie Szpyrka as Class and SubClass representative, and appoint her counsel as Class and SubClass counsel;
B. Declare that LinkedIn's actions, as described herein, violate the California Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.) and the Consumer Legal Remedies Act (Cal. Bus. & Prof. Code §§ 1750), and constitute breach of contract, or in the alternative, breach of the implied covenant of good faith and fair dealing, or in the alternative, breach of implied contract, as well as negligence and negligence per se.
C. Awarding injunctive and other equitable relief as is necessary to protect the interests of Plaintiff the other Class and SubClass members, including, inter alia: (i) an order prohibiting LinkedIn from engaging in the wrongful and unlawful acts described herein; (ii) ensuring that LinkedIn user data does not appear in Internet search engines; and (iii) requiring LinkedIn to protect all data collected through the course of its business in accordance with industry standards;
D. Award damages to Plaintiff and the other Class and SubClass members in an amount to be determined at trial;
E. Award Plaintiff and the other Class and SubClass members their reasonable litigation expenses and attorneys' fees;
F. Award Plaintiff and the other Class and SubClass members pre- and post-judgment interest, to the extent allowable; and
G. Award such other and further relief as equity and justice may require.


Enhanced by Zemanta

No comments:

Post a Comment