RockYou Sued for Failing to Protect the Personal Data of its 32 Million Customers
From the press release:
An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others.
The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database. As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit.
The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area. According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach.
“This alleged data breach was by no means unforeseeable. The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action. “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information. How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.”
The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data.
On its site, RockYou had posted the following about the breach:
As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.
Importantly, RockYou does not collect user financial information associated with RockYou.com widgets. In addition, user information for users of RockYou applications on partner sites, including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, Cyworld, etc., were not implicated by the breach. The platform breach also did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform. Lastly, the security breach did not affect our advertising platform or our social network applications.
However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users’ other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts.
It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?
riskpundit - December 29, 2009
At this point in time, if you, as a consumer, are going to participate in any sort of on-line e-commerce or social networking activities, you have to assume a breach somewhere is going to expose your personal information. You must sign up with one of the consumer credit agencies – Equifax, Experian, or TransUnion. I have no dog in this hunt, so check out all three. Don’t wait until you can demonstrate actual harm.