Breach, Data Security

In LinkedIn breach suit, judge denies company’s motion to dismiss

A federal judge ruled that a class-action lawsuit, stemming from LinkedIn's 2012 password breach, could move forward based on claims that the company misrepresented its security practices.

On Friday, Edward Davila, a U.S. District Court Judge in San Jose, Calif., denied (PDF) LinkedIn's motion to dismiss all of the claims made by one plaintiff.

While Judge Davila tossed two out of three claims made by plaintiff Khalilah Wright, business networking service LinkedIn must contend with one – that Wright's premium LinkedIn subscription would have been viewed as “less valuable” had the company disclosed its “lax security practices,” court documents said.

“[Wright] alleges that her LinkedIn password was retrieved by the hackers and posted on the internet on June 6, 2012,” the court order said. “She alleges that, prior to her purchase of the premium subscription, she read LinkedIn's user agreement and privacy policy and that, had LinkedIn disclosed its lax security practices, she would have viewed the premium subscription as less valuable and would either have attempted to purchase a premium subscription at a lower price or not at all.”

The ruling comes after Judge Davila granted LinkedIn's request last March to have a class-action complaint against it tossed. In that instance, Wright and another plaintiff, Katie Szpyrka, failed to prove that the password breach caused them financial loss or future harm – a point that was integral to their claims.

Since then, Wright filed a second amended complaint against LinkedIn.

This time around, the court found that Wright's “injury [or] the purchased induced by the misrepresentation, is fairly traceable to LinkedIn's conduct because LinkedIn made the misrepresentation,” court documents said.  

The judge also ruled that Wright could potentially be compensated for her “injury,” as restitution is arguable under California's Unfair Competition Law (UCL).

In the LinkedIn breach, hackers posted nearly 6.5 million passwords of LinkedIn users online. While the passwords were protected with an outdated cryptographic hash function, SHA-1, the company was criticized for not taking other security steps, like salting users' passwords – a measure LinkedIn eventually implemented in the wake of the incident.

Moving forward, a case management conference to be attended by the judge and both parties is scheduled for June 6.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.