Sony facing another PSN breach lawsuit

A new suit filed against Sony regarding the PlayStation Network data breach alleges that Sony knew of a threat due to smaller attacks, laid off several network security workers just before, and protected its own data more carefully than user data.

11

A new suit filed by customers against Sony makes a series of specific allegations against the company regarding its actions just before and during the PlayStation Network breach, Reuters reports. According to the suit filed in a San Diego federal court on Monday, Sony laid off a "substantial percentage" of the Sony Online Entertainment division, including some from its Network Operations Center. The report cites an anonymous witness.

The suit also alleges that Sony had been experiencing smaller breaches of security prior to the attack, and that it spent money to install firewalls and security measures to protect its own corporate data, but not user data.

Sony is already facing a class-action lawsuit over the PlayStation Network data breach. This new suit is separate, but seemingly has much more detail. We'll be watching it closely.

Editor-In-Chief
From The Chatty
  • reply
    June 23, 2011 11:55 PM

    Steve Watts posted a new article, Sony facing another PSN lawsuit.

    A new suit filed against Sony regarding the PlayStation Network data breach alleges that Sony knew of a threat due to smaller attacks, laid off several network security workers just before, and protected its own data more carefully than user data.

    • reply
      June 24, 2011 8:52 AM

      Even being someone who was directly affected by their recent security breaches, I still don't blame Sony for this. No one forced the hacker group Anonymous (or any other parties involved) to hack Sony, and they did so solely for their personal interests. This group argued that they did this in retaliation to a lawsuit Sony won against another hacker group; that's a BS reason to screw over a large number of hardworking people (referring to both Sony and their customers who were impacted by this, which again - includes me). Word to the wise; if you don't want to be sued, don't break the law. Screw these hackers for putting Sony in a position that requires them to use our subscription fees and/or their other profits for legal fees and extra security.

      And as a last side note - I hope no one tries to go with the "Sony is a greedy money-hungry corporation that deserves all the bad karma" argument. Sony is nothing more than a large group of individuals (such as ourselves) doing everything they can to support their family and provide the best possible financial situation for themselves and their families' future generations. I see no problem with a business comprised of businessmen and businesswomen trying to be profitable to the highest degree. Screw these hackers!

      • reply
        June 24, 2011 9:16 AM

        Even if we all agree with you, that doesn't cover the apparent lack of security, encryption and diligence to protect user data. But, in part, I do agree with you. The individual contributors that work in any company are rarely directly to blame. Management, and especially executive management on the other is almost always largely to blame. But, that's also why they get paid so much - to compensate for the added responsibility. In this case, I can't help but wonder if a VP of security or CIO/CTO was forced to choose between hitting his numbers and having better security. Pretty clear which was chosen.

        • reply
          June 24, 2011 9:27 AM

          Why are they largely to blame? Because some group of losers decided to try and ruin their business? Blame shouldn't be placed victims, and being realistic, Sony is more of a victim in this scenario than any single individual (other customers and myself included). They've been hurt more, lost more financially, and have taken a PR hit in a variety of ways. I still don't see the point in blaming a business or its' CEOs, VPs, etc., for trying to be profitable and full their pockets - that's generally the point of all businesses that aren't non-profit.

          • reply
            June 24, 2011 9:33 AM

            When you give a corporation your data there is an expectation that it will be protected. If, as this lawsuit suggests, they were lackluster in their customer data protection, then they can be held liable for the data breach.

          • reply
            June 24, 2011 9:40 AM

            By offering a service that requires customers to disclose personal data, it's the company's responsibility to secure those systems. The laws enforcing that are still young, and lawsuits and legislation are what will strengthen them. The most strict part of all this is credit card info, and that's enforced by an industry cartel called PCI, and not any government. Most international governments are still living in 1970's era technology.

            Personally, if all game publishers are going to mandate signing up and leaving personal info on their servers, they have a duty to adequately secure those servers. Sony failed to do that, and so did many other publishers and developers in the past few weeks. That's a long list of forums, loyalty programs, and online auth solutions that I won't be using because I don't trust them. I'm already hedging a bet on Steam, but they've been running for years, and seem to know how to run and secure an online service.

          • reply
            June 24, 2011 2:39 PM

            They are to blame because in the US it is a privilege to run a business. The government allows its constituents to pull together for the purchase of commerce. You're given permission to do when you form your company; especially if it's an LLC or incorporated. This "permission" comes with various requirements; in this case we're talking about taking the necessary steps to safeguard customer and consumer data. And, as has already been pointed out, there are various laws that require business to do just that. There is a lot of responsibility to run or own a company. It only increases when you're a public company (especially in the post SOX era) and more so as you become a dependency by your customers. In my HSO, Sony management made a bad call to chase profits over customer protection. I get that they were probably hurting (and have been) and needed to do what it could to try to make a profit. But, it came back to bite them and will now cost them more, as you even pointed out, in the long run.

            Can I get a d'oh?

          • reply
            June 24, 2011 3:03 PM

            they way they were dressed secured, they were asking to be raped hacked.

            Don't dress like a slut sony

        • reply
          June 24, 2011 9:33 AM

          Point is - if these hackers didn't exist and didn't create chaos, Sony would have more take-home profits and be using more of their overall profits to improve their games. The only reason the security-industry exists altogether (both physical security and digital security) is because someone feels the need to keep something safe. So the question is: why do they feel the need to keep that something safe? The answer is: because someone is trying to do something malicious to someone else. I still can't see an argument that blames Sony and takes the fault away from these hackers.

          Maybe I sound like a corporate donkey, but I'm a firm believer in doing the right thing. It's our choice to be Sony's customers and to accept their use of the profits we provide them, if we don't like that we can simply cancel our subscriptions and not buy their products. These scrubs interfere with that consumer-provider relationship, and I'm not going to hold Sony any more accountable for this than they will me.

          • reply
            June 24, 2011 9:41 AM

            Both Sony and the hackers share the responsibility. Everyone who does business online knows the risks. There are entire fields of study devoted to information security. It is the responsibility of those collecting sensitive data to keep it secure.

            To put the blame entirely on the hackers is to ignore the fact that Sony knew the risks and chose to ignore them.

          • reply
            June 24, 2011 9:42 AM

            Yeah you sound like a huge corporate donkey.

          • reply
            June 24, 2011 9:48 AM

            So, if you deposit a thousand dollars in cash at the bank, and the bank fails to lock the door, you don't think the bank's negligence contributed significantly to your loss when a bank robber strolls into the open vault and steals your money? Whenever you turn property over to some third party, they owe you a duty to take steps to safeguard that property.

            • reply
              June 24, 2011 1:11 PM

              Great summary.

            • reply
              June 24, 2011 2:27 PM

              I never said Sony wasn't negligent - I said I don't hold them responsible (key word = responsible, I never said they weren't accountable for their failures). My point is that if these hackers didn't do this in the first place, Sony would have more resources to pump into making their services and games better, so not only are the hackers responsible for stealing our data, but they are hurting the end product of Sony that we as consumers pay for. You also say "they owe you a duty to take steps to safeguard that property". WRONG - they owe you nothing more than what's in their terms of service, which every customer agrees at multiple points.

              I dunno though, maybe you're just the type of person that blames a good looking female for being a rape victim too.

              • reply
                June 24, 2011 2:40 PM

                Only if she was wearing a short skirt. That shit is too hot not to rape.

              • reply
                June 24, 2011 2:45 PM

                Your argument is based on the assumption that had this incident not occurred then Sony would have used those same financial and human resources specifically and strictly for PSN and their gaming division and not anywhere else. How can you prove that this would have been the case?

              • reply
                June 24, 2011 2:46 PM

                [deleted]

                • reply
                  June 24, 2011 2:58 PM

                  I was about to make a post that would have been to long about his use of negligence then claiming Sony was not responsible at all and how that is impossible but your post sums it up nicely.

              • reply
                June 24, 2011 2:49 PM

                More correctly they owe you what's required by law first; terms of service second. I'll admit I'm not fully up on the PCP/PCI requirements on holding CC data.

                I would expect the lawsuits floating around are going to take a good hard swing at this line from the SOE Privacy Policy.

                we have in place reasonable technical and organizational security measures to protect your Personal Information against accidental or intentional manipulation, loss, destruction, or against unauthorized disclosure or access to the information we collect online.

                http://www.soe.com/sonyonline/privacy.vm#OurCommitment

                My point would be against the organizational security measures. The lawsuit is probably going after the reasonable technical bit.

              • reply
                June 24, 2011 2:52 PM

                wow, that's the worst analogy ever. It seems like you have no understanding of the situation. You're just defending sony for no reason.

                • reply
                  June 24, 2011 3:10 PM

                  I bet you blame the Jews for letting Hitler throw them in an oven.

              • reply
                June 24, 2011 3:09 PM

                I'm sorry, Sony does owe customers more than what was agreed upon their terms of service.

                As Sony handled credit card transactions they must be PCI-DSS compliant. This means that they must meet certain security standards in both protection and storage of custom information. It is something that is taken very seriously by government agencies and credit card companies. The hack showed that they may indeed not be compliant. It's currently being argued over and actual investigations on the matter will likely go on for several months, but things do not look favorable for them at this point. If this indeed the case it's likely their troubles are far from over.

                Regardless of the hackers' actions here there are some very real legal issues here concerning Sony's handling of PSN customer information. I'm sorry that you have emotional reasons for disagreeing, but Sony itself was almost certainly in the wrong.

              • reply
                June 24, 2011 3:09 PM

                stay classy, champ ;-)

              • reply
                June 24, 2011 3:10 PM

                To be negligent, the person or organization must have responsibility.

              • reply
                June 24, 2011 6:44 PM

                You never babysitted a kid have you?

            • reply
              June 24, 2011 7:25 PM

              Except, that's a complete misrepresentation of the state of Sony's network security that has been perpetuated by the hackers themselves, and the general anti-Sony crowd of fanboys. It's more like they locked the door, locked the vault and the thieves still used thermite to burn their way in. And the most valuable items taken were still locked in safety deposit boxes the thieves have never been able to open.

    • reply
      June 24, 2011 7:11 PM

      This lawsuit appears to be grasping at straws. The layoffs mentioned are from SOE, not from PSN, and are probably related to the cancellation of The Agency earlier this year. The lawsuit also seems to completely misunderstand the failoverfl0w presentation on hacking the PS3, conflating it with the PSN attack. Beyond that it repeats a lot of apocryphal claims that have been floating around for months.

    • reply
      June 25, 2011 3:37 AM

      "The suit also alleges that Sony had been experiencing smaller breaches of security prior to the attack, and that it spent money to install firewalls and security measures to protect its own corporate data, but not user data."

      If that is really true i hope Sony loses.

Hello, Meet Lola