Sony Pictures Entertainment has been slapped with a lawsuit by two former employees who claim the studio did not do enough to safeguard their private information from a cyber attack.
The class-action suit was filed by Michael Corona and Christina Mathis, both of whom had their social security numbers made public after a hacking group calling itself Guardians of Peace dumped studio documents, employee information and salary charts online. The suit is being filed on behalf of current and former employees of the studio.
Film budgets and employee medical detail were also leaked as part of the hack. The lawsuit claims that Sony knew its security system was vulnerable but made “business decision to accept the risk” of a possible breach rather than spend more money to improve the system.
The suit reads:
“At its core, the story of ‘what went wrong’ at Sony boils down to two inexcusable problems: (1) Sony failed to secure its computer systems, servers, and databases …despite weaknesses that it has known about for years, because Sony made a ‘business decision to accept the risk’ of losses associated with being hacked; and (2) Sony subsequently failed to protect timely confidential information of its current and former employees from law-breaking hackers who (a) found these security weaknesses, (b) obtained confidential information of Sony’s current and former employees stored on Sony’s network, (c) warned Sony that it would publicly disseminate this information, and (d) repeatedly followed through by publicly disseminating portions of the information that they claim to have obtained from Sony’s network through multiple dumps of internal data from Sony’s Network.”
The lawsuit cites recently leaked emails and internal assessments that “reveal that Sony’s own information technology department and, separately, its general counsel believed that its technological security and email retention policies ran the risk of making too much data vulnerable to attack.”
Carona was en employee from 2004 to 2007. The suit says that he has so far spent $700 for a year of identity theft protection. Mathis worked in Sony Pictures Consumer Products from 2000 to 2012. The suit says that she has spent $300 so far on identity theft protection.
The suit was filed by the law firm of Keller Rohrback in Santa Barbara and Seattle.
A spokesman for the studio did not immediately respond to requests for comment.
The ex-employees are claiming negligence, violation of a California law on the confidentiality of medical information, violation of a California law on notification of a security breach and violation of a Virginia law on security breaches. Carona now lives in Virginia.
The lawsuit cites the Sony PlayStation breach in 2011, and claims that the studio “knew or should have known that such a security breach was likely and taken adequate precautions to protect current and former employees” personal information.
The lawsuit makes extensive reference to media reports, including those relying on information from stolen emails, of the Sony hacking in making its case that the studio did not adequately protect itself. Legal experts have said that the hacked emails are unlikely to be admissible in court, as it is stolen property.
The lawsuit claims that the studio failed to “timely and accurately disclose” the breach to employees and ex-employees.
More to come…