Sony Slapped With Class Action Lawsuit by Former Employees Over Hack Attack

Complaint calls security breach “an epic nightmare”

Last Updated: December 16, 2014 @ 10:40 AM

Sony’s troubles are continuing to mount, after two former employees of the company, which has been racked by a devastating hacking attack in recent weeks, hit the company with a class-action lawsuit over the security breach.

“An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees,” reads the lawsuit that was filed Monday. “Their most sensitive data, including over 47,000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals.”

The complaint, filed by Michael Corona and Christina Mathis and “on behalf of all others similarly situated,” says the hacking resulted from two “inexcusable problems”: “1) Sony failed to secure its computer systems, servers, and databases (‘Network’), despite weaknesses that it has known about for years because Sony made ‘a business decision to accept the risk’ of losses associated with being hacked; and (2) Sony subsequently failed to timely protect confidential information of its current or former employees from law-breaking hackers.”

Sony, the suit claims, “owed a legal duty to Plaintiffs and the other Class members to maintain reasonable and adequate security measures to secure, protect, and safeguard their PII [personal identifying information] stored on its Network.”

A spokeswoman for Sony has not yet responded to TheWrap‘s request for comment.

The lawsuit cites leaked emails purporting to reveal that Sony’s IT department and general counsel expressed their concern that the company’s technological security and email retention policies left the data vulnerable to attack.

“If only Sony had heeded its own advice in time,” the suit reads.

According to the 45-page legal complaint, Corona worked for Sony Pictures Entertainment from 2004 and 2007 in Culver City, while Mathis worked for Sony Pictures Consumer Products from 2000 to 2002. Both of their personal information was compromised by the breach, the lawsuit claims. In addition to the invasion of privacy, both Corona and Mathis have allegedly incurred personal costs as a result of the breach, with Corona shelling out more than $700 for identity theft protection and Mathis spending $300 for the same.

The complaint takes particular aim at Jason Spaltro, Sony’s executive director of information security — who, the suit claims, “made a business decision in November 2005 not to ensure the security of Sony’s Network.” It also cites the 2011 data breach of Sony’s PlayStation videogame network, claiming that the company was warned of the impending attack two weeks earlier.

Despite the PlayStation hack, the suit alleges, Sony continued to ignore security concerns.

The suit puts the class of affected current and former Sony employees at “approximately 15,000.”

Alleging negligence and violation of California and Virginia law (Corona is currently a resident of Virginia), the suit, filed in U.S. district court in California, asks that the court certify the case as a class action. The suit also seeks unspecified damages and a jury trial.

Pamela Chelin contributed to this report.