Tag Archives: lawsuit

CA Legal News: Class Action Suit against Sony because of PlayStation Network Breach

What Happened?

Sometime between April 17 and April 19, 2011, hackers broke into the Playstation Network (Bloomberg). On Wednesday, April 20, 2011, Sony shut down the PlayStation Network and Qriocity services in response to the intrusion, but did not inform consumers of the intrusion. (Bloomberg; Seybold 04/26/2011).

Sony lacked the in-house expertise to evaluate the intrusion, but instead of informing consumers about the intrusion so that they might mitigate any possible damage, this information was kept secret.

By Tuesday,  Sony had “reported the breach to the Federal Bureau of Investigation in San Diego, which specializes in compute r crime”( Stelter & Bilton).  To provide the FBI with information about the case you can call the FBI headquarters at (202) 324-3000.” (Snider).

Although Sony executive Patrick Seybold, Sr. Director, Corporate Communications & Social Media, claims that they “Quickly [took] steps to enhance security and strengthen our network infrastructure” (Seybold). Journalists are questioning how “quick” Sony’s response was given the intrusion occurred around April 18th and clients were not informed about the possibility that their information was compromised until Tuesday April 26th (Theriault).

Moreover, consumers and journalists are not impressed with the fact that Sony did not already have a safe system, but instead waited for this intrusion before “re-building [their] system to provide [users] with greater protection of [their] personal information” (Seybold ). Even Senator Richard Blumenthal, contacted Sony, “saying he was troubled that the company had not notified customers sooner about the breach” (Ogg).

Should Users be Concerned?

Although Ann Carrns, blogging for the New York Times, claims that users should “remain calm”, what she actually means is that those consumers who used credit cards rather than debit cards and who regularly monitor their credit card statements and bank statements and can afford a “limited” debit card loss, should remain calm. Oh and anyway, these types of hackers, Carrns writes, “are often looking for notoriety, rather than to resell financial information” (Carrns).

Wall Street Journal blogger, Ben  Rooney, indicates that the type of data stolen is very valuable, “complete data including billing address, email addresses and personal information like dates of birth, represent the rich data that allow highly targeted attacks against individuals. This sort of data commands much higher prices—and is much sought after by cyber criminals” (Rooney).

“With the sort of data compromised it is possible for criminals to commit identity theft and use your details to open bank accounts, take out mobile phone contracts, and even re-direct your mail. Security professionals suggest obtaining a copy of your credit report which should give a complete account of your status as well as any searches against your credit history” (Rooney).

Graham Cluley, of naked security, the IT security blog of the year, explains how hackers could use the stolen information to “[b]reak into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you” (Cluley).

Carrns optimism seems to be unfounded, given that senior threat researcher, Kevin Stevens from the security firm Trend Micro, “said that the forums indicated the hackers had a database containing the personal information, and that they were hoping to sell it “for upwards of $100,000.” Apparently the hackers had even tried to sell the information back to Sony, but they didn’t receive a reply from the Japanese electronics company” (Mogg). I guess these are the rare hackers that prefer millions of dollars over notoriety.

How are users responding?

Some users have already begun to report  fraudulent charges on their credit and debit cards. One user  said that “a ticket was purchased through a German airline for nearly $600” leaving her with a negative account balance of $500 (Kuchera).

An Alabama user has already filed a class action suit against Sony in the 9th District court, asking among other things for monetary compensation and free credit card monitoring (Ogg) . The complaint asks for:

“1)An order certifying this case as a class action and appointing Plaintiff and his counsel to represent the Class.

2) Restitution and disgorgement of all amounts obtained by Defendant as a result of its misconduct, together with interest thereon from the date of payment, to the victims of such violations.

3) Actual damages for injuries suffered by Plaintiff and the Class.

4) Compensatory money damages according to proof.

5) Statutory damages according to proof.

6) An order requiring Defendant to immediately cease its wrongful conduct as set forth above; enjoining Defendant from continuing to falsely market and advertise, conceal material information and conduct business via the unlawful and unfair business acts and practices complained of herein; ordering Defendant to engage in a corrective notice campaign; and requiring Defendant to refund to Plaintiff and all members of the Class the funds paid to Defendant for the defective PlayStations and PSN services; ordering Defendant to pay for credit card monitoring for Plaintiff and all members of the Class.

7) Punitive damages.

8) Attorneys’ fees and costs.

9) For statutory prejudgment interest.

10) For such other relief as this Court may deem just and proper” (JOHNS v. SONY).

In short the complaint alleges that Sony did not take “reasonable care to protect, encrypt, and secure the private and sensitive data of its users” and that this precluded consumers from being able to make informed decisions about how to best mitigate the possible damages that could result from having their information stolen (Ogg; Clark).

Senators Dick Blumenthal, and Bobby Rush have both responded to the breach with press releases. Blumenthal berates Sony execs in a letter, for mishandling the breach and for failing to have adequate security precautions. Rush gets to the heart of the matter, and calls for Republican senators to work with democrats to get a bill passed that would require corporations to take better security precautions with users data (Blumenthal; Rush).

What repercussions will this have for Sony?

Sony will likely face staggering legal bills, not to mention that they will likely want to start placating  consumers financially, even before the suit is settled or tried (Clark). Whether or not gamers will vote Sony off the island by, is yet to be seen, but at least one journalist thinks they would be crazy not to. “… the gamer (and any sane consumer) also says this: If you are cavalier with my personal information I will punish you by walking away” (Schiesel).

References