Considering the propensity of modern culture to sue over everything and anything, perhaps we ought to be surprised it has taken this long. Still, it has happened: LinkedIn is being sued over the data breach it experienced recently, which Neowin reported upon. Not much should surprise you here, since there have been plenty of incidents where a company's security has been shown to be weak, and then someone has sued them over it afterwards.
The lawsuit was filed by Katie Szpyrka from Illinois in a federal court in the city of San Jose, California. The lawsuit was filed on June 15th, and seeks class-action status. The date the lawsuit was filed upon came less than two weeks after the LinkedIn breach, which left many people concerned about their LinkedIn account security. Szpyrka's law firm, based in Chicago, claimed LinkedIn had "deceived customers" by having a security policy in "clear contradiction of accepted industry standards for database security".
Legal experts have said that a large settlement for plaintiffs will be difficult to achieve, since each plaintiff will have to show they were personally harmed by a breach. The leak of LinkedIn passwords originally appeared on Russian forums, with ZDNet being one of the first sites to pick up on the major leak.
The passwords posted on the Russian message board were supposedly hashed, though stock prices fell after the announcement that passwords had been leaked, indicating a loss of faith in the company. In total, over six million passwords had been lifted from LinkedIn's servers and shared around select Russian groups. Hashed passwords might have provided some protection though evidence suggested the criminals had managed to decode at least some of the passwords.
LinkedIn promised to add an additional security layer to their database, 'salting' it as well as hashing it. While hashed passwords can be a layer of protection the fact they are only one layer does weaken them. Determined criminals can still sometimes break the hashing, and therefore can expose the password and make use of it.
There is no real surprise to see that the lawsuit has been filed. After all, it is a common occurrence after an incident such as this. What is much less frequent, however, is when these lawsuits succeed on a major scale. The lawsuit sought $5,000,000 in damages, which seems to be about par for the course when it comes to post-hacking lawsuits.