LinkedIn facing £3 million lawsuit, as member claims negligence over password breach

News by Dan Raywood

LinkedIn is to be sued for $5 million (£3.2 million) after the hacking incident last week that saw 6.5 million password hashes leaked.

LinkedIn is to be sued for $5 million (£3.2 million) after the hacking incident last week that saw 6.5 million password hashes leaked.

The plaintiff, Chicago resident Katie Szpyrka, has filed a class action lawsuit for: breach of contract; breach of the implied covenant of good faith and fair dealing; breach of implied contracts; and negligence.

Paragraph three of the complaint states that through its privacy policy, LinkedIn promises that all information that [they] provide [to LinkedIn] will be protected with industry standards, protocols and technology. In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users' personal information in its servers' databases in a weak encryption format, and without implementing other crucial security measures.

The filing also claims that while some security threats are unavoidable, LinkedIn's failure to comply with industry standards also jeopardised users' personal information – as guaranteed by its own contractual terms.

Paragraph 19 also claimed that LinkedIn 'failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security. In doing so, Defendant violated its Privacy Policy's promise to comply with industry standard protocols and technology for data security'.

Paragraph 24 says that if LinkedIn had user encryption methods, a hacker would be limited in their ability to inflict harm. LinkedIn added a system that salts and hashes passwords to provide an extra layer of protection. 

Szpyrka joined LinkedIn in 2010 and had a premium account.

LinkedIn posted the following statement: "We have recently learned that a class action lawsuit has been filed against the company related to the theft of hashed LinkedIn member passwords that were published on an unauthorised website.

“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured. Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation. We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behaviour."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews