Reg comments

Sony sued by ex-staff over daft security, leaked privates

What if movie studio loses? Big biz liable for big data blunders?

As if Sony Pictures didn't have enough on its plate, now former employees have launched a class-action lawsuit against the Hollywood giant over the parlous state of its security – and to recoup the damage hackers have allegedly caused them.

It comes as people claiming to have hacked the movie studio's servers today made bizarre threats against showings of Sony Pictures' North Korea-poking comedy flick The Interview – including references to 2001's September 11 attacks.

A whole load of new files stolen from Sony's systems by the miscreants have also been leaked via file-sharing networks. That adds to the tens of gigabytes of sensitive records – from employees' salaries, addresses and emails to credit card numbers, scripts and unreleased movies – obtained from Sony Pictures computers by hackers and dumped online.

The two lead plaintiffs in the class-action lawsuit against Sony Pictures are revealed in legal paperwork [PDF] obtained today by The Reg.

Michael Corona left Sony seven years ago and claims he and his wife and child have had attempts made to steal their identities based on personal information leaked from Sony. The other plaintiff, Christina Mathis, left Sony in 2002 but claims to have suffered the same fate due to this Sony ransacking.

The lawsuit, filed on Monday in the central distract of California, claims that Sony should have known that it was a target for hackers, particularly in light of the 2011 PlayStation Network (PSN) breach which shut its servers down for nearly two months and led to the widespread plundering of gamers' personal information.

Sony offered $15m to clear up that mess, and the lawyers in this latest case are seeking $1,000 compensation for each former employee who has had their details leaked, which given over 47,000 social security numbers have been released could add up to a hefty sum.

The PSN hack, and plenty of other besides in other companies, show that Sony should have been more security conscious, the plaintiffs' lawyers argue. Even after such major breaches, the company was still storing critical information in plain text and without proper encryption, and Sony management made a business decision not to invest in proper security mechanisms, despite repeated warnings from IT staff, the suit claims.

Once the scale of this latest hack was uncovered, Sony management warned in an email to employees on December 2 that all and any data given to the company was at risk. The biz set staffers up with credit and identity protection the next day. But it was only on December 12, and after increasing complaints from former staff, that Sony offered the same services to some ex-employees.

The suit also points out that Sony didn't stint on countermeasures to the latest leak, seemingly using Amazon Web Services to spam out false data on torrents and trying to shut down torrenting sites seeding swiped files. It also hired a high-priced lawyer to threaten the press if they dug into the network breach.

“AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services," a spokeswoman for Amazon told El Reg.

"In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse. Our terms are clear about this. The activity being reported is not currently happening on AWS.”

The plantiff's legal firm, Keller Rohrback in Seattle, didn’t return calls at time of going to press, but is assumed to be looking for further former employees to sign up and sue their old bosses for compensation.

Meanwhile, on Monday Sony Pictures' chief executive and chairman Michael Lynton held a series of 20-minute meetings with groups of staff to appraise them of progress in dealing with the attacks and to reassure them about the future.

"This won't take us down," he promised, the LA Times reports. "You should not be worried about the future of this studio. I am incredibly sorry that you've had to go through this."

Co-chairman Amy Pascal also addressed the meeting, apologizing for insensitive comments she made in private emails that have since been leaked. "It is your incredible efforts and perseverance that will get us through this," she said. ®

Sponsored: Fast data protection ROI?