Three New York PlayStation Network users last week filed a federal lawsuit alleging that Sony spends 'lavishly' to secure its own intellectual property while cutting corners in protecting the personal data of its customers.
The plaintiffs, Felix Cortorreal, Jimmy Cortorreal and Jacques Daoud, accuse Sony of negligence, privacy violations and breach of contract. The trio claims that the company does not follow industry best practices to protect customer data.
Sony in April disclosed that it had been the victim of a massive data breach that had exposed personal data of some 100 million users of its PlayStation Network and Sony Online Entertainment network.
The breach also exposed credit and debit card information on millions of users of the Sony networks.
Since first disclosing the breach, various Sony websites around the world have been broken into by hackers, prompting considerable concern about the company's ability to protect personal data.
The charges listed in the lawsuit filed last week in a California federal court are based on data the plaintiffs say was obtained from confidential witnesses.
The suit claims that Sony needlessly put customer data at risk by terminating a significant number of network security personnel in the two weeks prior to the initial massive data breach.
The lawsuit contends that Sony laid off the security personnel despite its knowledge of significant security vulnerabilities on the affected networks.
A Sony spokesman denied that claim.
"No security people were fired in the SOE layoff. Layoff was conducted in order to reduce costs and streamline the company's workforce," the spokesman said.
He declined further comment on the lawsuit, noting that the company does not comment on pending litigation.
The plaintiffs also contend that Sony did not encrypt personal data and failed to take other basic security precautions. Sony also needlessly delayed disclosing the breach, the suit says.
The 30-page complaint filed last week highlights an email said to be sent to the company by a Sony PlayStation Network user two months before the breach warning about "widespread hacking." The emailer is said to have warned of "a security vulnerability, especially with console information," the complaint charged.
Even as Sony "recklessly declined" to provide adequate protections for customer data, the company spared no effort to protect its own development server, known internally as PS DevNetwork. The complaint quotes an unnamed former Sony employee as saying that the company had invested significant resources to create firewalls, a 'debug unit' and IP address blocking technologies to protect the development server.
"While Sony knew that these basic security measures were necessary to protect its proprietary systems, it chose to cut corners when it came to its customers' personal information and failed to implement similar safeguards on the PlayStation and SPE networks," the complaint noted.
Stuart Davidson, a partner with Robbins, Geller, Rudman & Dowd LLP, the law firm representing the plaintiffs, said he is seeking to expand the action into a class action lawsuit that seeks both compensatory and equitable relief from Sony in the form of credit monitoring services and restitution for actual losses.
"We are seeking damages for anybody who may have had their identity or personal information compromised" in the breach, Davidson said today. "We are always holding in our back pocket the possibility of seeking punitive damages as well," he added.
This is one of about 19 lawsuits filed against Sony since it acknowledged the massive breach.
For example, just days after Sony admitted to the breach in April, an Alabama man filed a federal lawsuit charging Sony with negligence, privacy violations and breach of warranty.
Davidson added that it's likely that all the pending cases will be consolidated before one judge.
In the past, lawsuits brought by consumers against companies that suffered data breaches have met with little success.
Past courts have ruled that consumers cannot claim compensatory damages unless they can show that they suffered real harm, such as actual identity theft, because of a breach.
The mere potential that they could suffer some future harm is not enough basis, for claiming damages, the courts have ruled.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.