A new lawsuit that is seeking class-action status has been brought against Sony, this time alleging that the company not only knew that it was in the crosshairs of hackers, but knowingly prioritized their own corporate data over that of their customers. According to Reuters, the lawsuit, Southern District of California is Felix Cortorreal, Jacques Daoud Jr. and Jimmy Cortorreal, on Behalf of Themselves and All Others Similarly Situated v. Sony Corporation Inc., alleges via a “confidential source” that Sony laid off members of its Network Operations Centre during a “significant” workforce reduction (the NOC is responsible for noticing and responding to attacks). In addition, the lawsuit states that Sony made sure to install firewalls and other security measures to protect its own data on its developer network, but did not protect consumer data as zealously.
The lawsuit, according to Ars Technica, is looking for restitution, credit monitoring services, and damages if Sony was found to be acting in a negligent manner.
Sony was attacked by hackers on April 16th and 17th. The data breach exposed customer names, addresses, email addresses and other information to the hackers. It is still unknown at this time if credit card information, though the lawsuit treats the thought of credit card information being compromised as fact. The Japanese PSN is still down (reg required) due to regulatory pressure.
We will update this post once we get ahold of the actual legal document.
Analysis: There’s a joke in an old George Carlin bit that makes fun of older movies that is apropos here, if Sony’s actions prove to be correct: “Do what you want to the girl, but leave me alone!”
With that stated, the discovery process in this suit should be interesting, to say the least. The lawsuit makes mention of a lot of “confidential sources”, and considering the timing of everything, one would have to assume going in that these are some of those NOC employees that were laid off. I hope for their sake that their names aren’t made public, because if that happens, they can welcome themselves to a solid blacklisting.
Beyond that, some of the claims in this suit are going to prove hard to prove. Some of them – like a claim that Sony’s unwillingness to disclose encryption standards being an admittance of their weakness, which Ars points out – are just pathetic. Even the layoff of NOC personnel isn’t really indicative that Sony was inviting trouble; if that was the case, I could have sued my past employer because they actually had a self-induced security hack after they replaced some of their staff (myself included) with some knob-head in the Philippines (beginner’s tip to network security: do not open up inbound connections on a firewall to *.*.*.*. Just trust me). Besides, I’m not sure additional NOC staff would have prevented this; Sony’s problems were based on leadership from the top down, and had little to do with the trenches, so throwing more bodies at the problem wouldn’t have necessarily worked, even if that’s a curious response to them explicitly knowing that they were being targeted due to the George Hotz litigation. The BIG thing to me, and what will likely be the big thing to any judge that sees this case, is the accusation that Sony put protections on their corporate data that they didn’t put on their customer data, especially if it becomes a known fact that credit card data has been compromised. The latter fact would add a whole other layer to this issue, and if this is indeed true, would make Sony culpable.