Judge tosses suit against LinkedIn

A US District Court judge in California has ruled that plaintiffs failed to show harm stemming from last year's theft of 6.5 million passwords from LinkedIn.
Written by John Fontana, Contributor

Citing a failure to prove harm, a US District Court judge in California threw out a $5 million class-action lawsuit against LinkedIn that stemmed from last year's theft of 6.5 million passwords from the professional-networking giant.

US District Judge Edward J Davila said that the plaintiffs failed to show a "casual connection" between the harm they allegedly suffered and LinkedIn's alleged failure to follow industry standards and its own promise to encrypt user password data.

In dismissing the case, the judge said that the plaintiffs admitted they had never actually read LinkedIn's privacy policy and, therefore, could not claim the company misrepresented itself.

In June of last year, LinkedIn reported that Russian hackers had stolen nearly 6.5 million passwords from its website. With more than 150 million users, the password theft involved less than 5 percent of LinkedIn's user base.

Shortly thereafter, Katie Szpyrka, a registered LinkedIn account holder since 2010, filed suit in United State District Court in the Northern District of California, demanding a jury trial on grounds including breach of contract and negligence. The suit claimed $5 million in damages.

The Illinois woman, who paid $26.95 per month for a premium LinkedIn account, said LinkedIn's privacy policy promises users that all the information they provide will be protected with industry standards and technology.

She said that LinkedIn failed to comply with basic industry standards by using a weak encryption format. The company had encrypted passwords with a SHA-1 algorithm, but according to experts, the fact that the company neglected to "salt" the hash weakened the security.

The suit also referenced preliminary reports that said hackers used a common SQL injection attack, which lets them access databases via a website. The suit cited National Institute of Standards and Technology checklists as common guidance for avoiding SQL injection attacks.

A second LinkedIn user later joined Szpyrka in the suit, and the two became the representatives in a class-action suit encompassing all LinkedIn users affected by the breach.

But the judge ultimately dismissed the case because LinkedIn's User Agreement and Privacy Policy is the same for both free and paid premium accounts.

In his order to dismiss the case, Judge Davila wrote: "Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members. Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services. The FAC [First Amended Consolidated Complaint] does not sufficiently demonstrate that included in Plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership."

Editorial standards