April 28 (Bloomberg) -- Sony Corp. faced a legal and regulatory backlash over delays in telling 77 million subscribers that their personal account data may have been stolen by a hacker.
A lawsuit filed yesterday in federal court in San Francisco alleges the delay left PlayStation users exposed to losses related to any credit-card data theft. Officials in Connecticut, the U.K. and Ireland began inquiries. Makiko Noda, a Tokyo-based Sony spokeswoman, declined to comment, as the company hadn’t received a notice of legal action.
Sony slumped the most since the aftermath of the March 11 earthquake on concern the fallout will set back efforts to compete against Apple Inc. and Microsoft Corp. in online movies and games. Sony warned customers of the security breach on April 26, six days after closing the PlayStation Network and Qriocity video- and music-streaming services.
Sony fell 4.5 percent to 2,260 yen on the Tokyo Stock Exchange, the lowest close since July 2009. The benchmark Nikkei 225 Stock Average climbed 1.6 percent.
The Tokyo-based company said it notified consumers as quickly as it could. Kazuo Hirai, who heads the consumer-electronics operations, plans to turn network services into a 300 billion yen ($3.6 billion) business in two years by connecting Bravia TVs, Vaio PCs and PlayStation game players.
Compromise of Internet Security
“Consumers and merchants have been exposed to what is one of the largest compromises of Internet security and the greatest potential for credit-card fraud to ever occur in U.S. history,” according to the complaint.
In the lawsuit, plaintiff Kristopher Johns, of Birmingham, Alabama, seeks to represent people who bought a PlayStation console, subscribe to either PlayStation Network or Qriocity service and “suffered loss of service and break of security,” according to the complaint.
The PlayStation Network, which provides access to online games, movies and TV shows, was attacked from April 17 to April 19. Sony had combined PlayStation Network customer data with Qriocity, which offers movies or music in 11 nations on Web-connected Bravia TVs and Blu-ray players.
“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach,” Patrick Seybold, a Sony spokesman, said in an e-mail on April 26. “We then shared that information with our consumers and announced it publicly.”
Sony is working with law enforcement and have hired a technology security firm to conduct the investigation, the company said on its blog yesterday.
The complaint seeks payment for credit monitoring for all plaintiffs, refunds for defective services and PlayStations, and unspecified punitive damages.
Sony said on April 26 that it was trying to determine whether credit-card data were stolen. The intruder obtained user-provided names, e-mail addresses, birthdates, login information and purchase history, Sony said on its blog.
“We are overhauling our servers and rebuilding the system from scratch in order to offer the service to our customers in a secure and stable online environment,” Noda said. She said there is no immediate plan to restart the service.
The company said in February revenue in the network services business reached 38 billion yen in the nine months ended Dec. 31, exceeding the 36 billion yen total for the previous fiscal year. Sony, which had targeted doubling annual sales at the unit in the period to March 31, said at the time it may fall short of the goal.
Sony faces tens of millions of dollars in costs, said Marc Zwillinger, a partner at Washington-based Zwillinger Genetski LLP, which specializes in cyber-related law.
In similar breaches, companies have had to pay at least $1 a person to set up dedicated hotlines and call-center capacity to deal with a deluge of customer calls, Zwillinger said.
The ultimate cost will depend on the damage caused by the breach, Zwillinger said. Courts typically throw out lawsuits in which users can’t show harm, he said.
Spokesmen for Wells Fargo & Co., American Express Co. and MasterCard Inc. said they were monitoring cardholder accounts and hadn’t seen unauthorized activity relating to Sony.
The Ponemon Institute, a think tank that studies data-breach costs, estimates companies paid on average $7.2 million for each incident last year to deal with each intrusion and implement plans to keep existing or attract new customers.
The PlayStation Network has 36 million subscribers in the U.S., 32 million in Europe and 9 million in Japan and the rest of Asia, according to Sony’s Noda.
In the year ended in March 2010, Sony’s games unit generated $9.07 billion in sales, or almost 12 percent of the parent company’s total revenue.
U.S. and European lawmakers and regulators were seeking information about the breach at Sony’s network. Users of Sony’s PlayStation Network sign a licensing agreement that limits the company’s liability for data breaches unless the law in the subscriber’s jurisdiction supersedes the agreement.
The U.K. Information Commissioner’s Office said yesterday it has begun an inquiry into the breach. The Cheshire, England-based agency can fine companies as much as 500,000 pounds ($836,300) for violations of privacy law.
“The Information Commissioner’s Office takes data protection breaches extremely seriously,” the agency said in an e-mailed statement. “Any business or organization that is processing personal information in the U.K. must ensure they comply with the law, including the need to keep data secure.”
Ireland’s Office of the Data Protection Commissioner said it asked Sony for a report on the breaches. The Italian Data Protection Authority also planned to contact the company, according to a statement from the agency today. Connecticut Attorney General George Jepsen also sought information, according to an e-mailed statement.
Sony’s costs could mount quickly because parents may be more concerned about their children’s privacy, said Lawrence Ponemon, chairman of the Traverse City, Michigan-based Ponemon Institute.
“Parents are going to make judgments about the safety of the device,” Ponemon said. “Consumer groups could be more active than usual. In some ways, this could be surprisingly costly.”
Sony recommends customers change their passwords when service is restored and to do the same elsewhere if they use the login data with other businesses.
The U.S. must adopt nationwide standards that companies and government entities follow to secure sensitive information, U.S. Senator Tom Carper, a Democrat from Delaware, said yesterday.
“It is my hope that this issue can be addressed in the context of a comprehensive cyber-security bill as soon as possible this year,” Carper said in a statement.
The case is Johns v. Sony Computer Entertainment America LLC, 11-02063, U.S. District Court, Northern District of California (San Francisco).
To contact the reporters on this story: Cliff Edwards in San Francisco at email@example.com; Karen Gullo in San Francisco at firstname.lastname@example.org; Michael Riley in Washington at email@example.com