Want CNET to notify you of price drops and the latest stories?

Lawsuit: Sony knew its PSN security was at risk

A new lawsuit prompted by the PlayStation Network breach in April accuses Sony of improperly protecting customer data while spending more money to secure its own development servers.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
Erica Ogg
2 min read

Three men are suing Sony over April's massive data breach of the company's PlayStation Network and Sony Online systems, saying the company knew its security system was inadequate before the cyberattack.

The suit was filed earlier this week in the U.S. District Court for the Southern District of California, and unearthed by Reuters today.

The suit, which is asking for class-action status, was filed Monday on behalf of Felix Cortorreal, Jacques Daoud Jr., and Jimmy Cortorreal, all of New York. The trio alleges that Sony "knew that its inadequate security systems placed it at an increased risk for the attack, which directly and proximately caused the theft of its customers' personal information and a monthlong interruption" of the PlayStation Network, according to court documents.

The three also cite "confidential witnesses" who say they know firsthand that while Sony "spent lavishly" on the security of its development servers to protect its own intellectual property, it "recklessly" failed to do the same for the servers containing its customers' sensitive personal data. Sony is also accused of being told directly that its security on PSN was weak and at-risk, and of firing "a significant number of employees immediately before the security breach," including people responsible for network and server security, in order to cut costs.

In April, more than 77 million customer accounts of Sony's PlayStation Network and Qriocity service were exposed in an attack on 10 of the company's servers in San Diego. Later, 25 million customer accounts of Sony Online Entertainment were found to be compromised as well. The information exposed included customer names, e-mail addresses, billing addresses, phone numbers, genders, and birth dates. Sony maintains that credit card information was not stolen.

The company came under fire almost immediately for not alerting its customers of the breach for several days after it occurred. Then the PSN and Qriocity services were taken offline for almost a month while Sony scrambled to rebuild its security systems and undertook a forensic investigation into the breach.

The suit asks for reimbursement for PlayStation consoles, PSN fees, restitution, "exemplary damages," and "appropriate credit monitoring."

Sony has already implemented a sort of apology program for customers, including free credit monitoring for a year, free game downloads, free movie rentals, and other in-game bonuses.

Sony did not have a comment on the pending litigation.