Sony 'cut corners' in protecting user data, lawsuit alleges

Plaintiffs charge that Sony spent 'lavishly' on protecting its own IP while skimping on securing customer data

Three New York PlayStation Network users last week filed a federal lawsuit alleging that Sony spends 'lavishly' to secure its own intellectual property while cutting corners in protecting the personal data of its customers.

The plaintiffs, Felix Cortorreal, Jimmy Cortorreal and Jacques Daoud, accuse Sony of negligence, privacy violations and breach of contract. The trio claims that the company does not follow industry best practices to protect customer data.

Sony in April disclosed that it had been the victim of a massive data breach that had exposed personal data of some 100 million users of its PlayStation Network and Sony Online Entertainment network.

The breach also exposed credit and debit card information on millions of users of the Sony networks.

Since first disclosing the breach, various Sony websites around the world have been broken into by hackers, prompting considerable concern about the company's ability to protect personal data.

The charges listed in the lawsuit filed last week in a California federal court are based on data the plaintiffs say was obtained from confidential witnesses.

The suit claims that Sony needlessly put customer data at risk by terminating a significant number of network security personnel in the two weeks prior to the initial massive data breach.

The lawsuit contends that Sony laid off the security personnel despite its knowledge of significant security vulnerabilities on the affected networks.

A Sony spokesman denied that claim.

"No security people were fired in the SOE layoff. Layoff was conducted in order to reduce costs and streamline the company's workforce," the spokesman said.

He declined further comment on the lawsuit, noting that the company does not comment on pending litigation.

The plaintiffs also contend that Sony did not encrypt personal data and failed to take other basic security precautions. Sony also needlessly delayed disclosing the breach, the suit says.

The 30-page complaint filed last week highlights an email said to be sent to the company by a Sony PlayStation Network user two months before the breach warning about "widespread hacking." The emailer is said to have warned of "a security vulnerability, especially with console information," the complaint charged.

Even as Sony "recklessly declined" to provide adequate protections for customer data, the company spared no effort to protect its own development server, known internally as PS DevNetwork. The complaint quotes an unnamed former Sony employee as saying that the company had invested significant resources to create firewalls, a 'debug unit' and IP address blocking technologies to protect the development server.

"While Sony knew that these basic security measures were necessary to protect its proprietary systems, it chose to cut corners when it came to its customers' personal information and failed to implement similar safeguards on the PlayStation and SPE networks," the complaint noted.

Stuart Davidson, a partner with Robbins, Geller, Rudman & Dowd LLP, the law firm representing the plaintiffs, said he is seeking to expand the action into a class action lawsuit that seeks both compensatory and equitable relief from Sony in the form of credit monitoring services and restitution for actual losses.

"We are seeking damages for anybody who may have had their identity or personal information compromised" in the breach, Davidson said today. "We are always holding in our back pocket the possibility of seeking punitive damages as well," he added.

This is one of about 19 lawsuits filed against Sony since it acknowledged the massive breach.

For example, just days after Sony admitted to the breach in April, an Alabama man filed a federal lawsuit charging Sony with negligence, privacy violations and breach of warranty.

Davidson added that it's likely that all the pending cases will be consolidated before one judge.

In the past, lawsuits brought by consumers against companies that suffered data breaches have met with little success.

Past courts have ruled that consumers cannot claim compensatory damages unless they can show that they suffered real harm, such as actual identity theft, because of a breach.

The mere potential that they could suffer some future harm is not enough basis, for claiming damages, the courts have ruled.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernmentsonyGovernment/Industries

More about etworkLPSonyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place