The data breach has resulted in a situation former employees claim is "better suited to a cinematic thriller than to real life."Specifically, the class action lawsuit alleges Sony failed to take adequate precautions to prevent the massive data breach and protect the personal information of more than 15,000 employees, both past and present.
"ony failed to secure its computer systems, servers and databases despite weaknesses it has known about for years"the complaint states. "Their most sensitive data, including over 47,000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals." The lawsuit cites an email from Sony' general counsel, among other internal documents obtained in the leak, that expresses concern that the company' network security and email retention policies left it vulnerable to an attack, such as the one it has now suffered.
The lawsuit also claims that Sony had previous suffered cyberattacks, including a data breach in 2011 where hackers gained access to the company' PlayStation Network and Qriocity systems, exposing up to 31 million user' data.
Lawsuits brought against Sony over the resulting consolidated lawsuits were settled for $15 million in games, online currency and identity theft reimbursement. However, according to the current lawsuit, the security issues were not resolved.
According to the lawsuit, rather than remedying the ongoing security concerns fully, Sony executives "made a business decision to accept the risk of losses associated with being hacked"rather than pay for expensive system upgrades. "If only Sony had heeded its own advice in time,"the complaint says.
Initially, current Sony employees were offered identity theft monitoring, this was eventually extended to 12-month coverage by a third party to ex-employees. The lawsuit states the delay was unfair to ex-employees, some of whom, including the two class representatives, already purchased expensive identity theft monitoring packages.
According to the complaint, Sony' ex-employees call the company' deal inadequate, noting that the credit monitoring and insurance it provides cannot prevent identity fraud, only inform them when it happens. Additionally, the suit alleges that federal agencies have acknowledged that hackers sometimes hold stolen data for over 12 months and that identity fraud can continue to be a threat for many years.
Consequently, the Sony data breach class action lawsuit seeks more substantial protections, including credit card and banking monitoring services for five years, as well as identity theft insurance and credit restoration services, also for five years. The suit asks the court to force Sony to do more to address the potential identity fraud that may follow those affected by the breach indefinitely.
The proposed class includes current and former employees whose personal information was compromised in the leak, including two subclasses in Virginia and California.
The plaintiffs are represented by Lynn Lincoln Sarko, Gretchen Freeman Cappio, Cari Campen Laufenberg and Amy N.L. Hanson of Keller Rohrback LLP.
The case is Corona et al v. Sony Pictures Entertainment, Inc., case number 2:14-cv-09600, in the U.S. District Court for the Central District of California.