14 DAY TRIAL // A federal judge declined to dismiss a lawsuit seeking damages from social application developer RockYou for exposing the personally identifiable information (PII) of over 32 million people as a result of a data breach.
RockYou is one of the largest publishers of social games and applications with an active monthly user count of 130 million spanning several social networking sites.
At the beginning of December 2009, security firm Imperva notified RockYou that details of an SQL injection vulnerability affecting one of its systems was being circulated on underground hacking forums and was even exploited to extract user data.
After investigating the report RockYou publicly admitted the security breach and said the affected database was hosted on an older platform that hadn't been updated to the latest security standards.
The company notified affected customers to change their passwords used on the site. This measure was necessary because they were stored in plain text inside the compromised database.
Furthermore, some of RockYou's apps also required users to provide the company with their Facebook username and password, meaning that hackers also obtained access to a lot of people's Facebook accounts.
Following the security breach, a man named Alan Claridge from Evansville, California, filed a complaint against RockYou accusing the company of violating several federal and California laws, breaching its contract with customers and negligence.
RockYou filed a motion to dismiss the entire lawsuit for failure to state a claim, but Judge Phyllis Hamilton of the US District Court in the Northern District of California agreed to dismiss only five of the nine formulatted causes.
"The court concludes that at the present pleading state, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII.
"As such, the court declines to dismiss plaintiff's breach claims on grounds that plaintiff has failed to allege damages harm as a matter of law," the judge ruled. [pdf]