Security Experts:

LinkedIn: Breach Cost Up to $1M, Says $2-3 Million in Security Upgrades Coming

In June, a breach disclosed by business social networking site LinkedIn resulted in a hashed password list containing some 6.5 million user passwords, forcing the company to urgently examine its infrastructure and investigate the incident that exposed some of its users.

The company, which today announced solid financial results for Q2 2012 with record revenues of $228.2 million, shared details on some of the costs associated with investigating and addressing the breach, along with investments the company plans to make in order to further bolster security.

LinkedIn Breach Analysis

"In the second quarter, I would say there was roughly $500,000 - $1,000,00 related primarily to forensics work and other elements of that," LinkedIn CEO Jeff Weiner said on a conference call discussing the company’s second quarter results.

Weiner also reinforced previous statements from the company that security measures have been improved following the breach.

“Since [the breach], we have redoubled our efforts to ensure the safety of member accounts on LinkedIn by further improving password strengthening measures and enhancing the security of our infrastructure and data,” Weiner said.

“The health of our network as measured by member growth and engagement remains as strong as it was prior to the incident,” he added.

While some improved security measures may have been taken, the company said more updates are in the works, with seven-figure investments in security expected to take place before the end of this year.

“In taking proactive steps to update security post the June password theft, we are assuming an additional $2-3 Million in second half expenses, more weighted toward the third quarter,” LinkedIn CFO Steve Sordello said.

Since the conference call was an earnings call, the company did not get specific as to what technologies and or process improvements would be made to improve its security posture.

While 6.5 million leaked password hashes is by no means trivial, it’s a fraction of the more than 175 million members LinkedIn said it has as of August 2, 2012. Overall, the LinkedIn breach, while somewhat costly, did not impact the company to the level that other “hacked” companies have in the past, including Sony, Global Payments, and Certificate Authority DigiNotar which was essentially hacked out of business.

Earlier this month payment-processing provider Global Payments said that costs associated with a data breach disclosed in April that exposed up to 1.5 million card numbers totaled $84.4 million.

LinkedIn said page views increased 31 percent to 9.3 billion during the second quarter of 2012. When including SlideShare, which the company acquired in May 2012, there were nearly 131 million unique visitors in June 2012, making LinkedIn the 26th most visited website in the world according to comScore.

Related Reading: LinkedIn Breach: How a 6.5M Hole Could Sink a 160M Ship 

Related Reading: Lessons Learned from DigiNotar, Comodo and RSA Breaches

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.