Last week, the Italian data protection authority (the “GPDP”) opened an investigation after reports that a dataset allegedly containing data compiled from 500 million LinkedIn profiles and other websites was available for sale on a hacker forum. Apparently, this data represents more than two-thirds of LinkedIn’s estimated 740 million users. The hacker reportedly posted approximately two million records visibly online as evidence of the dataset, and offered to sell the rest for an undisclosed bitcoin payment.
According to a statement by LinkedIn, the company investigated the posting and determined that it is “an aggregation of data from a number of websites and companies,” including publicly viewable LinkedIn member profile data that apparently was scraped from LinkedIn’s site. LinkedIn stated that it was not a data breach because no private member profile data was included in the dataset it was able to review. LinkedIn stated that such scraping of data violated its terms.
The posting of this scraped data immediately reminds us of the ongoing scraping dispute between LinkedIn and data analytics start-up hiQ, Inc. (“hiQ”). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In a prior ruling, the Ninth Circuit affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles.