$5 million class action lawsuit over LinkedIn data breach dismissed

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://nakedsecurity.sophos.com/2013/03/08/linkedin-lawsuit-data-breach/

Any damage done to LinkedIn users over the massive June 2012 data
breach was abstract, not actual, a US judge has ruled.

Thus did a $5 million class-action lawsuitagainst the networking site
get dismissed, before the case ever breathed the air of a court trial.

The breach resulted in the compromise of 6.5 million users' passwords.

Within hours of the passwords being posted online, over 60% of the
stolen passwords had been cracked.

Within days of the June breach, the lawsuit was filed on behalf of all
users by two premium LinkedIn users in the US, Katie Szpyrka and
Khalilah Wright.

It charged LinkedIn with failing to use basic industry standard
security practices - a failing that, the plaintiffs claimed, led to
the data leak.

Specifically, the suit claimed that LinkedIn didn't store passwords in
unsalted SHA1 hashed format, thereby failing to adhere to its Privacy
Policy's promise to use industry standard protocols and technology to
protect personally identifiable information.

Here's what the security part of LinkedIn's privacy policy said at the time:

In order to help secure your personal information, access to your data
on LinkedIn is password-protected, and sensitive data (such as credit
card information) is protected by SSL encryption when it is exchanged
between your web browser and the LinkedIn website. To protect any data
you store on our servers, LinkedIn also regularly audits its system
for possible vulnerabilities and attacks, and we use a tierone
secured-access data center.

However, since the internet is not a 100% secure environment, we
cannot ensure or warrant the security of any information you transmit
to LinkedIn. There is no guarantee that information may not be
accessed, disclosed, altered, or destroyed by breach of any of our
physical, technical, or managerial safeguards.

It is your responsibility to protect the security of your login
information. Please note that emails, instant messaging, and similar
means of communication with other Users of LinkedIn are not encrypted,
and we strongly advise you not to communicate any confidential
information through these means.

Unfortunately for the plaintiffs, they failed to provide evidence of
injury coming out of the breach that was "concrete and
particularized," as well as "actual and imminent," US District Judge
Edward J. Davila wrote in his decision (PDF).

The plaintiffs claimed to have gotten gipped after they ponied up the
premium membership fee but then didn't get the industry-standard
security the privacy policy promised.

The thing is, Davila responded, the plaintiffs didn't pay extra for
that security, given that it was promised to both premium and basic
(free) memberships alike.

Rather, what the premium account holders actually got in return for
their fees were advanced networking tools and enhanced usage of
LinkedIn's services, not great security.

He wrote:

The User Agreement and Privacy Policy are the same for the premium
membership as they are for the nonpaying basic membership. Any alleged
promise LinkedIn made to paying premium account holders regarding
security protocols was also made to non-paying members.

Thus, when a member purchases a premium account upgrade, the bargain
is not for a particular level of security, but actually for the
advanced networking tools and capabilities to facilitate enhanced
usage of LinkedIn’s services.

The [suit] does not sufficiently demonstrate that included in
Plaintiffs’ bargain for premium membership was the promise of a
particular (or greater) level of security that was not part of the
free membership.

Besides, Davila said, the plaintiffs didn't even read the privacy
policy to begin with (at least, they didn't allege to have read it in
the suit), so how can they claim that they forked over the money for
premium memberships based on what it claimed?

As far as injury goes, while Wright claimed that her password had been
posted online, it didn't result in identity theft or somebody getting
into her account, the judge said, so the claim of financial harm or
injury just doesn't fly.

He wrote:

Wright merely alleges that her LinkedIn password was "publicly posted
on the Internet on June 6, 2012". In doing so, Wright fails to show
how this amounts to a legally cognizable injury, such as, for example,
identify theft or theft of her personally identifiable information.

One lesson we can take from this is, apparently, that users have to
take security promises and privacy policies with a grain of salt.

Beyond that, the nuances of whether a company will be found liable for
security lapses, and the whys and why-nots, intrigue me.

I initially conjectured, when the lawsuit was first filed, that
LinkedIn had its work cut out for it in defending itself. I was
clearly wrong.

What do you think: should LinkedIn get off the hook this easily?
Should a company be held liable for not meeting industry standards for
security?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.