The Sony PlayStation Network outage has prompted questions about data security and a congressional inquiry, and now you can add class-action lawsuit to the list.
A California-based firm has filed suit against Sony, accusing the company of failing to adequately protect, encrypt, and secure its customer data. The suit seeks damages for the data loss and PlayStation Network downtime.
"We bought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers," Ira P. Rothken, an attorney who filed the complaint, said in a statement. "We are hopeful that Sony will take this opportunity to learn from the network vulnerabilities, provide a remedy to consumers who entrusted their sensitive data to Sony, and lead the way in data security best practices going forward."
Sony's PlayStation network has been having issues since last Wednesday, but it was not until last night that Sony confirmed that hackers had obtained personal information from the network, which possibly included credit cards. Sony said it expects to "restore some services" within a week, but did not elaborate.
"Sony's breach of its customers' trust is staggering," co-counsel J.R. Parker said. "One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't."
The suit was filed on behalf of Alabama resident Kristopher Jones, who has been a PlayStation user since 2009.
The lawsuit claims that Sony was aware of vulnerabilities with its system for some time, but does not provide details.
"[Sony] has been aware for a substantial period of time that PSN was prone to catastrophic loss of data from a security breach," according ot the filing. "Nevertheless, [Sony] failed to warn its customers of the problem or tried to prevent them from suffering system suspension from security breaches and data loss."
"Sony sat silently while consumers purchased defective PlayStation consoles and PSN service without warning customers about the risks inherent in purchasing and relying upon Sony's data security," the suit continued.
In a Tuesday blog post, Patrick Seybold, senior director of corporate communications and social media at Sony, insisted that "there's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised."
Sony learned of the intrusion on April 19 and subsequently shut down its services. It then brought in outside experts to assess the damage, which took some time, he said.
"It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach," Seybold wrote. "We then shared that information with our consumers and announced it publicly this afternoon."
In a Thursday blog post, Sophos security consultant Carole Theriault called on Sony "to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn't properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc."
Late yesterday, Sen. Richard Blumenthal, a Democrat, wrote to Sony president Jack Tretton, expressing concern about Sony's reaction time and asking that Sony provide them with access to financial data security services.
For more, see Sony's PlayStation Network Outage: What You Need to Know and Sony's PlayStation Network Hack: When Did They Know?