Halkyn Security Blog
Specialist Security & Risk Management Consultants

LinkedIn to face £3m lawsuit over password breach

Following up on the news last week that LinkedIn had suffered a major security breach in which huge numbers of user account passwords were put at risk (previously discussed), there is news today that a Chicago resident has filed a class action lawsuit against the company seeking US$5,000,000 in damages.

SC Magazine reports that the plaintiff feels he has solid grounds for this lawsuit:

Paragraph three of the complaint states that through its privacy policy, LinkedIn promises that all information that [they] provide [to LinkedIn] will be protected with industry standards, protocols and technology. In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users’ personal information in its servers’ databases in a weak encryption format, and without implementing other crucial security measures.

Without wishing to comment on the legal merits of this suit, the publicly available information implies that LinkedIn did indeed fail to implement good practice measures with regards to protecting user accounts – the password hashes were poor practice in 2002 and it would certainly be bad practice to no update your security for over 10 years.

Understandably, LinkedIn is reluctant to comment, other than to say:

We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behaviour.

This is a reasonable approach, and given the legal might LinkedIn is likely to be able to wield here, it is likely that they will be successful in their defence, although they may end up in an expensive trial and will suffer a lot of adverse publicity.

However, this misses what is probably the most important point – all of this could have been avoided by properly investing in security. As always, the painful less from this is that yet another company (and a “techy” one which really should have known better), has tried to save money, and increase profits, by putting its prize assets at risk.

Even if the lawsuit is unsuccessful, it is likely to cost LinkedIn significantly more than the £50 – 60k they have saved over the last ten years cutting back in their security.

This is an important lesson for every organisation to take on board. It may seem like a good move to make your security function reduce its budgets, but you will never, ever, save enough to cover the costs of one major breach.

Taking risks is part of business, but when it comes to security of critical assets, these risks should be properly managed and assessed as part of your risk management function. If you are going to gamble, make sure you are properly investing the money saved to cover the inevitable consequences. Anything else is simply bad business.

Similar posts
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]
  • 3 essential elements of any Infosec f... As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that [...]

Recent Tweets Recent Tweets