Sony Faces Lawsuit, Regulators’ Scrutiny Over PlayStation Breach
Sony Corp. (6758)’s network entertainment unit faced a legal and regulatory backlash over delays in telling 77 million subscribers that their personal account data may have been stolen by a hacker.
A lawsuit filed yesterday in federal court in San Francisco alleges the delay left PlayStation console users exposed to losses related to any credit-card data theft. Officials in Connecticut, the U.K. and Ireland began inquiries.
Sony warned customers of the security breakdown on April 26, offering its first accounting of the severity of the intrusion six days after closing the PlayStation Network and Qriocity video- and music-streaming services. The Tokyo-based company said it notified consumers as quickly as it could.
“Consumers and merchants have been exposed to what is one of the largest compromises of Internet security and the greatest potential for credit-card fraud to ever occur in U.S. history,” according to the complaint.
In the lawsuit, plaintiff Kristopher Johns, of Birmingham, Alabama, seeks to represent people who bought a PlayStation console, subscribe to either PlayStation Network or Qriocity service and “suffered loss of service and break of security,” according to the complaint.
The PlayStation Network, which provides access to online games, movies and TV shows, was attacked from April 17 to April 19. Sony had combined PlayStation Network customer data with Qriocity, which offers movies or music in 11 nations on Web- connected Bravia TVs and Blu-ray players.
“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach,” Patrick Seybold, a Sony spokesman, said in an e-mail on April 26. “We then shared that information with our consumers and announced it publicly.”
Seybold didn’t respond to requests for comment yesterday.
The complaint seeks payment for credit monitoring for all plaintiffs, refunds for defective services and PlayStations, and unspecified punitive damages.
Sony said on April 26 that it was trying to determine whether credit-card data were stolen. The intruder obtained user-provided names, e-mail addresses, birthdates, login information and purchase history, Sony said on its blog.
Sony fell 3.2 percent to 2,291 yen at 9:10 a.m. on the Tokyo Stock Exchange, headed for its biggest drop since March 15. The benchmark Nikkei 225 Stock Average climbed 0.3 percent.
Sony faces tens of millions of dollars in costs, said Marc Zwillinger, a partner at Washington-based Zwillinger Genetski LLP, which specializes in cyber-related law.
In similar breaches, companies have had to pay at least $1 a person to set up dedicated hotlines and call-center capacity to deal with a deluge of customer calls, Zwillinger said.
The ultimate cost will depend on the damage caused by the breach, Zwillinger said. Courts typically throw out lawsuits in which users can’t show harm, he said.
Spokesmen for Wells Fargo & Co., American Express Co. and MasterCard Inc. said they were monitoring cardholder accounts and hadn’t seen unauthorized activity relating to Sony.
The Ponemon Institute, a think tank that studies data- breach costs, estimates companies paid on average $7.2 million for each incident last year to deal with each intrusion and implement plans to keep existing or attract new customers.
In the year ended in March 2010, Sony’s games unit generated $9.07 billion in sales, or almost 12 percent of the parent company’s total revenue.
U.S. and European lawmakers and regulators were seeking information about Sony’s breakdown. Users of Sony’s PlayStation Network sign a licensing agreement that limits the company’s liability for data breaches unless the law in the subscriber’s jurisdiction supersedes the agreement.
The U.K. Information Commissioner’s Office said yesterday it has begun an inquiry into the breach. The Cheshire, England- based agency can fine companies as much as 500,000 pounds ($826,300) for violations of privacy law.
“The Information Commissioner’s Office takes data protection breaches extremely seriously,” the agency said in an e-mailed statement. “Any business or organization that is processing personal information in the U.K. must ensure they comply with the law, including the need to keep data secure.”
Ireland’s Office of the Data Protection Commissioner said it asked Sony for a report on the breaches. Connecticut Attorney General George Jepsen also sought information, according to an e-mailed statement.
Sony’s costs could exceed the norm quickly because parents may be more concerned about their children’s privacy, said Lawrence Ponemon, chairman of the Traverse City, Michigan, institute.
“Parents are going to make judgments about the safety of the device,” Ponemon said. “Consumer groups could be more active than usual. In some ways, this could be surprisingly costly.”
Sony recommends customers change their passwords when service is restored and to do the same elsewhere if they use the login data with other businesses.
The U.S. must adopt nationwide standards that companies and government entities follow to secure sensitive information, U.S. Senator Tom Carper, a Democrat from Delaware, said today.
“It is my hope that this issue can be addressed in the context of a comprehensive cyber-security bill as soon as possible this year,” Carper said in a statement.
To contact the reporters on this story: Cliff Edwards in San Francisco at firstname.lastname@example.org; Karen Gullo in San Francisco at email@example.com; Michael Riley in Washington at firstname.lastname@example.org