Sony facing class-action suit over PSN breach

Sony has unsurprisingly been hit with a class-action lawsuit in light of the user data breach that it admitted yesterday. The suit seeks monetary compensation and credit monitoring services.

54

It's barely been a day since Sony confirmed that user data had been hacked, and already the company is the subject of a class-action lawsuit. IGN obtained court documents, filed in the district court of San Francisco on behalf of one Kristopher Johns. Among the allegations are breach of warranty, negligent data security, and violation of consumer rights to privacy, among other charges.

The suit seeks monetary compensation for the data loss, along with credit monitoring services like Senator Richard Blumenthal proposed yesterday. Since it's a class-action suit and Sony has said all user data could be compromised, the suit could potentially include anyone from the nearly 80 million registered PlayStation Network accounts.

"We brought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers," said attorney Ira P. Rothken, who filed the complaint. "We are hopeful that Sony will take this opportunity to learn from the network vulnerabilities, provide a remedy to consumers who entrusted their sensitive data to Sony, and lead the way in data security best practices going forward."

The breach of trust is "staggering" according to J.R. Parker, Rothken's co-counsel on the case. "One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information," he said. "Apparently, Sony doesn’t."

The revelation yesterday was met with sharp criticism, particularly regarding the amount of time between Sony pulling the plug on the PlayStation Network last Wednesday, and revealing the data breach just yesterday. In response, Sony corporate communications director Patrick Seybold issued a statement explaining the gap, but we would expect Sony's week-long silence to come up in the court case regardless.

Editor-In-Chief
From The Chatty
  • reply
    April 27, 2011 2:20 PM

    Steve Watts posted a new article, Sony facing class-action suit over PSN breach.

    Sony has unsurprisingly been hit with a class-action lawsuit in light of the user data breach that it admitted yesterday. The suit seeks monetary compensation and credit monitoring services.

    • reply
      April 27, 2011 2:22 PM

      [deleted]

    • reply
      April 27, 2011 2:27 PM

      I've read on several sites that hackers discovered in January that our credit card information was not encrypted. I don't know if this is true or not but if Sony was indeed that careless with our info then this suit is deserved. Either way I hope the hackers are caught.

      • reply
        April 27, 2011 2:37 PM

        This has been massively overblown. Payment information is sent to Sony via an SSL in much the same way that credit card information can be sent securely through a standard web page. It doesn't need to be encrypted prior to that.

        • reply
          April 27, 2011 3:31 PM

          Securing information as you transmit it, and securing it when you store it, are two completely different things.

          • reply
            April 27, 2011 3:42 PM

            I know, I'm only taking about the plaintext transmission revelation from earlier in the year, which caused a major freak-out. The reasonable assumption was (and still is?) that sensitive information is encrypted on the server prior to it being stored.

            • reply
              April 27, 2011 3:47 PM

              That would be the reasonable assumption, but my understanding that sony has essentially implied when they stated the scope of the breach that it was not. That is, they stated that when the data source was compromised, everything was compromised; not that the plain text stuff was compromised and it's potentially plausible that sensitive information can be brute force cracked if a strong password was not used.

        • reply
          April 27, 2011 3:48 PM

          [deleted]

          • reply
            April 27, 2011 4:16 PM

            he's not saying that. fauljosh's post is slightly incorrect in that the 'discovery' in January was that credit card info was being sent across the web in plain text.
            spookyd is saying that that thing was overblown, because it actually is secure due to the fact that it's using SSL to send that info, but in January nobody realised that it was then actually being stored unencrypted, which is sad. :(

      • reply
        April 27, 2011 2:49 PM

        Stop typing whatever YOU think Fauljosh.... At least you support catching these guys, seems everyone is forgetting that....

    • reply
      April 27, 2011 2:34 PM

      Sony deserves everything that's coming to them for unacceptable levels of security, especially if the rumours regarding unencrypted transmission and plain text password storage are true.

      The hacker(s) deserve to be put into federal pound me in the ass prison.

      Fuck both of 'em.

      Also I want to play Outland, dammit.

    • reply
      April 27, 2011 2:39 PM

      If what I've read is true(unencrypted passwords? really Sony?) they deserve to be put out of business if for no other reason than to hammer home to other companies that this lax level of security with your customers' private information cannot be accepted at all. That being said I hope The Last Guardian is released before Sony's demise.

    • reply
      April 27, 2011 3:04 PM

      This reminds me of the early days of the PS3 when everyone was quick to hate it simply because it existed. I love how all these analysts are coming out of the woodworks now saying its staggering Sony didn't have more measures in place to prevent this... what a load of BS... this can happen to anyone, no one is safe from a determined hacker. Everyone owes Mr. Geohotz a big old thanks for his "awesome" work... the trickle down effects have been amazing.

      • reply
        April 27, 2011 3:09 PM

        George Hotz is an arrogant hack. The hacker group fail0verflow were the ones who displayed the 45 minute presentation at 27C3 on how they were able to decrypt the PS3's code signing private key, but didn't disclose the key itself. All that GeoHot did was say "Oh, thanks!" and post the key out in the open.

        • reply
          April 27, 2011 3:10 PM

          He's done plenty of real work, too; it's not accurate to dismiss him entirely.

          • reply
            April 27, 2011 3:11 PM

            And I might add it's also not clear at all that this intrusion is even related.

            • reply
              April 27, 2011 3:17 PM

              His iPhone work was probably his best work, but his posting of the private key was low-class, and he paid for it.

              This breach and GeoHot are unrelated (hopefully; GeoHot said he was boycotting Sony, after all); I just can't let a comment of "everyone thank GeoHot" slide, because that's not where the true credit is due. The fail0verflow group had some pretty nice and mind-boggling crypto work there (you are NOT supposed to be able to decrypt a private key like that, unless of course the crypto implementation is flawed, as it was in the PS3).

              • reply
                April 27, 2011 3:29 PM

                So you're saying without the key that Geohotz released, this was possible? I was under the impression they used hacked PS3s to gain access to the infrastructure... correct me if I'm wrong (:

                • reply
                  April 27, 2011 3:46 PM

                  Without the key that fail0verflow proved was extractable, this wouldn't be possible.

                  All that GeoHot did was follow the recipe, with some additional work that he didn't disclose, and then posted the key out in the open. Classless HACK.

                  • reply
                    April 27, 2011 4:20 PM

                    The key was not necessary for the firmware to be changed. It was the release of that new (devmode) firmware that started this. Your information is incorrect.

                  • reply
                    April 27, 2011 4:37 PM

                    the ignorance flows so freely on the shack.

                    • reply
                      April 27, 2011 4:40 PM

                      Geohot did a lot of the early EE work on the PS3 as well. He had a guide on how to access the hypervisor with some heavy duty EE and this was the basis of all USB jailbreaks.

                      • reply
                        April 27, 2011 4:41 PM

                        The service mode guide helped as well :P

            • reply
              April 27, 2011 3:32 PM

              I think its related in the sense that, without the Geohotz/Sony public fiasco, it wouldn't have spurred the "let's attack PSN" party that followed it.

      • reply
        April 27, 2011 3:12 PM

        If some of the stuff being discussed is real (like in the post immediately before yours) it's in no way a "load of BS." I'm not any kind of security expert and it sounds ridiculous even to me. It would be ridiculous for a small-time website, much less fucking PSN.

      • reply
        April 27, 2011 3:17 PM

        The means by which they dealt with this situation is a lot more damning than how or why it happened in the first place. It has also revealed some staggering levels of incompetence in other areas, e.g. the public availability of PSN/Qtricity HTTP access logs.

      • reply
        April 27, 2011 3:40 PM

        The only problem I see with your comment is that it's not true.

      • reply
        April 27, 2011 4:09 PM

        I'm sorry, but when you have to REWRITE YOUR NETWORK because of something like this, you done fucked up. Did they know about how shitty it was along and were just hoping something like this wouldn't happen?

        All evidence points to terrible security practices on Sony's part.

      • reply
        April 27, 2011 4:29 PM

        There is no evidence that this has anything to do with GeoHot or Anonymous. Stop spewing these unsupported rumors.

        • reply
          April 27, 2011 4:32 PM

          you can't say anonymous wasn't involved unless the hacker comes out and says so, because by being anonymous he implicitly is a member of the organization that simultaneously includes no one and everyone

          • reply
            April 27, 2011 4:38 PM

            Indeed. As are you and I.

            RikiTiki2, we could be the hackers :(

          • reply
            April 27, 2011 5:15 PM

            wtf is this nonsense, Anonymous anonymous

            • reply
              April 27, 2011 5:18 PM

              ugh, Anonymous != anonymous

              • reply
                April 27, 2011 5:47 PM

                how do you determine who is in Anonymous if their membership is anonymous?

                • reply
                  April 27, 2011 5:51 PM

                  I believe the onus is on you to make the determination, you're the one making the statements.

    • reply
      April 27, 2011 3:37 PM

      Heh, I remember getting paid out many years ago in a class action lawsuit against... I think it was amazon.com? I can't even remember, because the actual action was pretty mundane. Anyway, after all was said and done I received something stupid like $16.

      • reply
        April 27, 2011 3:44 PM

        Oh no, I remember it was paypal I think.

    • reply
      April 27, 2011 3:38 PM

      How do I get in on this lawsuit?

    • reply
      April 27, 2011 3:48 PM

      [deleted]

      • reply
        April 28, 2011 7:13 AM

        Then place a fraud alert with the credit companies and be done with it. Fraud insurance isn't really necessary after that because there are laws to protect you.

    • reply
      April 27, 2011 3:49 PM

      Given how unclear it is what the facts are, whether Sony truly handled personal information like a bunch of idiots or whether these were just some really gifted and determined hackers, it's hard for me to see this as anything more than a digital ambulance chase at the moment.

      • reply
        April 27, 2011 3:58 PM

        Well how else would you find out specific details of what happened, if not a lawsuit? Wait for Sony to feel like divulging it?

        • reply
          April 27, 2011 6:50 PM

          A situation where a large sum of money is at stake tends to cast doubt on what's decided to be the truth. Although I do admit that's better than nothing.

    • reply
      April 27, 2011 4:26 PM

      Saw this posted around, not sure how reliable the source is though: http://lo-ping.org/2011/04/26/psn-hacker-chat-logs/

      aswell you should never ever install a CFW from someone unknown
      cuz its way too easy todo scamming at this point
      for example:
      creditCard.paymentMethodId=VISA&creditCard.holderName=Max&
      creditCard.cardNumber=**********&creditCard.expireYear=****&creditCard.
      expireMonth=*&creditCard.securityCode=***&creditCard.address.address1=
      example street%2024%20&creditCard.address.city=city1%20&creditCard.
      address.province=abc%20&creditCard.address.postalCode=12345%20
      sent as plaintext

      • reply
        April 27, 2011 4:44 PM

        Don't believe everything you read off the internet.... Anyone could make that up and post it just the stir the fire more.... Anon is still alive and breathing thanks to the dick heads out there that support their cause for nothing...

    • reply
      April 27, 2011 4:34 PM

      I don't get it, Sony gets hacked so people sue them? Its not their fault YOU trusted them with your information and its not their fault they got hacked (anything and everything can be hacked). I honestly don't care about Sony and they really shouldn't be sued.


      This is just as dumb as the lady who sued McDonalds for burning herself with coffee, just an excuse to get easy money.

      • reply
        April 27, 2011 7:06 PM

        It's actually kind of an interesting case. http://en.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restaurants

      • reply
        April 27, 2011 7:45 PM

        i'm suing your for this post

        • reply
          April 27, 2011 7:45 PM

          with spelling like that how can i go wrong

          • reply
            April 27, 2011 8:12 PM

            I'm sewing you for this spelling.

            • reply
              April 27, 2011 8:15 PM

              eventually he'll have to rip what he sews

      • reply
        April 27, 2011 8:12 PM

        [deleted]

        • reply
          April 27, 2011 8:37 PM

          That is probably the worst represented case in the history of legal cases.

          The McDonalds case actually had HUGE merit, and was handled correctly.

      • reply
        April 27, 2011 9:42 PM

        it is their fault for storing sensitive information in clear text. each and every one of those fields should have been encrypted.

      • reply
        April 28, 2011 3:00 AM

        Where is this "anything and everything can be hacked" nonsense coming from? Do people actually think that?

      • reply
        April 28, 2011 6:31 AM

        I've said it before, but you guys really need a Data Protection law as strict as the UKs http://en.wikipedia.org/wiki/Data_Protection_Act_1998#Plain-language_summary_of_key_principles At least to stop retarded companies collecting things like SSNs for no reason then leaving them on USB sticks.

      • reply
        April 28, 2011 6:34 AM

        While I do think the McDonalds lawsuit was probably decided incorrectly, I do not think that this lawsuit against Sony is frivolous.

        In Law and Economics, a generally agreed-upon rule of thumb is that the party that is able to avoid an accident at the lowest cost should be assigned liability. For example, if a plane crashes into your house, the owner of the plane is liable for the damage caused, because there is nothing you could do to avoid the accident. (I am avoiding the question of strict liability, negligence, strict liability with a defense of contributory negligence, etc., as it's not crucial here.) The lowest-cost avoider should face liability for damage caused.

        In the case of the coffee, I don't think it's clear that McDonalds was the lowest-cost avoider. In the case of protecting personal information, however, I think it is pretty clear that Sony is the lowest-cost avoider of damage. Once the information is provided, there is little consumers can do to protect it. They can insure against identity fraud, but that's a second-best response; the first best would be for Sony not to allow the data to be stolen in the first place. One could also say that consumers could protect themselves by simply never providing personal information, but this would ultimately make both Sony and the consumers worse off, compared to a world in which Sony simply does a better job with security. Making Sony liable gives them (and anyone else storing personal information) an incentive to avoid the damage caused by the theft of that information.

      • reply
        April 27, 2011 7:06 PM

        That sounds like you have to enter a contract first

        • reply
          April 27, 2011 10:14 PM

          What do you think happened when you clicked "accept" on that EULA the first time you connect to PSN?

    • reply
      April 27, 2011 5:04 PM

      They should apologize with the return of PS2 backwards compatibility.

      • reply
        April 27, 2011 5:09 PM

        yes, via an add on module that you can buy for $100 and plugs right into the system.

      • reply
        April 27, 2011 6:46 PM

        I can play PS2 games on my PS3, have been since I bought it. Then again I do have an original 60 gb.

    • reply
      April 27, 2011 6:52 PM

      [deleted]

      • reply
        April 27, 2011 7:42 PM

        Probably so they can pad their subscriber numbers compared to Xbox Live.

        Supposedly it was prevalent to have PSN accounts in different regions to get access to region specific content.

    • reply
      April 27, 2011 9:03 PM

      wait so is ~80 million the number of accounts, or number of people with accounts?



      • reply
        April 27, 2011 9:06 PM

        80 million accounts, a lot of people had multiple accounts and accounts made for their kids.

    • reply
      April 28, 2011 9:12 AM



      /facepalm

    • reply
      April 28, 2011 1:46 PM

      LOL.... dude is gonna get a check for 15 bucks and labeled as a jerkoff by all the people who know him.... service is free.... credit checks are free... and credit card info was secured.... good luck with that one....

      Hope he likes the title of "That guy" from now on...

Hello, Meet Lola