Sony Faces Lawsuit, Regulators’ Scrutiny Over PlayStation Breach

Sony Corp. (6758)’s network entertainment unit faced a legal and regulatory backlash over delays in telling 77 million subscribers that their personal account data may have been stolen by a hacker.

A lawsuit filed yesterday in federal court in San Francisco alleges the delay left PlayStation console users exposed to losses related to any credit-card data theft. Officials in Connecticut, the U.K. and Ireland began inquiries.

Sony warned customers of the security breakdown on April 26, offering its first accounting of the severity of the intrusion six days after closing the PlayStation Network and Qriocity video- and music-streaming services. The Tokyo-based company said it notified consumers as quickly as it could.

“Consumers and merchants have been exposed to what is one of the largest compromises of Internet security and the greatest potential for credit-card fraud to ever occur in U.S. history,” according to the complaint.

In the lawsuit, plaintiff Kristopher Johns, of Birmingham, Alabama, seeks to represent people who bought a PlayStation console, subscribe to either PlayStation Network or Qriocity service and “suffered loss of service and break of security,” according to the complaint.

The PlayStation Network, which provides access to online games, movies and TV shows, was attacked from April 17 to April 19. Sony had combined PlayStation Network customer data with Qriocity, which offers movies or music in 11 nations on Web- connected Bravia TVs and Blu-ray players.

“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach,” Patrick Seybold, a Sony spokesman, said in an e-mail on April 26. “We then shared that information with our consumers and announced it publicly.”

Seybold didn’t respond to requests for comment yesterday.

Credit Monitoring

The complaint seeks payment for credit monitoring for all plaintiffs, refunds for defective services and PlayStations, and unspecified punitive damages.

Sony said on April 26 that it was trying to determine whether credit-card data were stolen. The intruder obtained user-provided names, e-mail addresses, birthdates, login information and purchase history, Sony said on its blog.

Sony fell 3.2 percent to 2,291 yen at 9:10 a.m. on the Tokyo Stock Exchange, headed for its biggest drop since March 15. The benchmark Nikkei 225 Stock Average climbed 0.3 percent.

Sony faces tens of millions of dollars in costs, said Marc Zwillinger, a partner at Washington-based Zwillinger Genetski LLP, which specializes in cyber-related law.

Financial Fallout

In similar breaches, companies have had to pay at least $1 a person to set up dedicated hotlines and call-center capacity to deal with a deluge of customer calls, Zwillinger said.

The ultimate cost will depend on the damage caused by the breach, Zwillinger said. Courts typically throw out lawsuits in which users can’t show harm, he said.

Spokesmen for Wells Fargo & Co., American Express Co. and MasterCard Inc. said they were monitoring cardholder accounts and hadn’t seen unauthorized activity relating to Sony.

The Ponemon Institute, a think tank that studies data- breach costs, estimates companies paid on average $7.2 million for each incident last year to deal with each intrusion and implement plans to keep existing or attract new customers.

Customers Worldwide

Sony has 36 million customers in the U.S., 32 million in Europe and 9 million in Japan and the rest of Asia, according a report today by Daiwa Capital Markets.

In the year ended in March 2010, Sony’s games unit generated $9.07 billion in sales, or almost 12 percent of the parent company’s total revenue.

Photographer: Kiyoshi Ota/Getty Images

A booth assistant demonstrates a game on the 3D-supported Sony Computer Entertainment Inc.'s PlayStation 3 video game console during the Tokyo Game Show 2010 at Makuhari Messe in Chiba, Japan. Close

A booth assistant demonstrates a game on the 3D-supported Sony Computer Entertainment... Read More

Close
Open
Photographer: Kiyoshi Ota/Getty Images

A booth assistant demonstrates a game on the 3D-supported Sony Computer Entertainment Inc.'s PlayStation 3 video game console during the Tokyo Game Show 2010 at Makuhari Messe in Chiba, Japan.

U.S. and European lawmakers and regulators were seeking information about Sony’s breakdown. Users of Sony’s PlayStation Network sign a licensing agreement that limits the company’s liability for data breaches unless the law in the subscriber’s jurisdiction supersedes the agreement.

The U.K. Information Commissioner’s Office said yesterday it has begun an inquiry into the breach. The Cheshire, England- based agency can fine companies as much as 500,000 pounds ($826,300) for violations of privacy law.

“The Information Commissioner’s Office takes data protection breaches extremely seriously,” the agency said in an e-mailed statement. “Any business or organization that is processing personal information in the U.K. must ensure they comply with the law, including the need to keep data secure.”

Ireland’s Office of the Data Protection Commissioner said it asked Sony for a report on the breaches. Connecticut Attorney General George Jepsen also sought information, according to an e-mailed statement.

Parents’ Role

Sony’s costs could exceed the norm quickly because parents may be more concerned about their children’s privacy, said Lawrence Ponemon, chairman of the Traverse City, Michigan, institute.

“Parents are going to make judgments about the safety of the device,” Ponemon said. “Consumer groups could be more active than usual. In some ways, this could be surprisingly costly.”

Sony recommends customers change their passwords when service is restored and to do the same elsewhere if they use the login data with other businesses.

The U.S. must adopt nationwide standards that companies and government entities follow to secure sensitive information, U.S. Senator Tom Carper, a Democrat from Delaware, said today.

“It is my hope that this issue can be addressed in the context of a comprehensive cyber-security bill as soon as possible this year,” Carper said in a statement.

The case is Johns v. Sony Computer Entertainment America LLC, 11-02063, U.S. District Court, Northern District of California (San Francisco).

To contact the reporters on this story: Cliff Edwards in San Francisco at cedwards28@bloomberg.net; Karen Gullo in San Francisco at kgullo@bloomberg.net; Michael Riley in Washington at michaelriley@bloomberg.net

To contact the editors responsible for this story: Michael Hytha at mhytha@bloomberg.net; Anthony Palazzo at apalazzo@bloomberg.net

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.