Sony laid off security staff prior to PSN data breach, claims lawsuit
Proposed class action suit alleges that electronics giant gave pink slips to employees in network security division two weeks before hacker attack; knew customer data was at risk.
The PlayStation Network may be up and running again after April's massive security breach and the subsequent month-long outage, but the incident is leaving some longer-term reminders for Sony. For instance, the company is now dealing with a handful of lawsuits over the breach, including one filed this week alleging that Sony laid off network security staff just weeks before the breach and ignored previous smaller-scale hackings that demonstrated security holes.
The complaint accuses Sony of negligence, breach of contract, breach of fiduciary duty, and violating the federal Electronic Communications Privacy Act by not properly securing customer information. To help make its case, the suit cites a half-dozen former Sony Computer Entertainment America and Sony Online Entertainment employees as confidential witnesses, many of whom were employed with their respective companies until March of this year.
The confidential witnesses attest that Sony kept vastly different security standards for its own information and that of its customers, using out-of-date software, substandard encryption processes, and no firewalls when it came to customers' data. Additionally, the suit points out that Sony was warned in early April by hacking group Anonymous that it had become a target for cyber attacks, and it notes that in late March, "a substantial percentage" of Sony Online Entertainment's Network Operations Center, the group responsible for preparing for and responding to security breaches, had been dismissed in a round of layoffs. (SOE customer information was also compromised around the time of the PSN hack.) As for previous hacks, the suit notes widespread hacking of Modern Warfare 2 made the game "unplayable online" in January, and it refers to unspecified reports in May 2009 that unauthorized copies of customers' credit cards were emailed to an outside account.
The suit is being brought by a trio of Sony customers, two of whom were PSN members at the time of the massive security breach. The third plaintiff was a member of Sony Pictures' website and had his personal information made public when the site was hacked earlier this month by LulzSec. They are attempting to get class action status for the suit, so that it may cover all US users of PSN and Sony Pictures' site at the time they were hacked. The group is seeking monetary damages with interest, attorneys' fees, and appropriate credit monitoring services for all members of the class. Sony has already launched a program to provide affected PSN users with 12 months of complimentary credit monitoring.