Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
October 31, 2014
arrowPress Releases
October 31, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


Suit Alleges Sony Laid Off Network Security Employees Just Before PSN Breach
Suit Alleges Sony Laid Off Network Security Employees Just Before PSN Breach
June 24, 2011 | By Kris Graft




A new class action lawsuit filed against Sony and its subsidiaries over the PlayStation Network security breach alleges that the company fired a number of network security employees just prior to a cyber attack that left over 100 million accounts compromised across PSN and Sony Online Entertainment.

"Sony sought to cut its costs at the expense of its customers by terminating a significant number of employees immediately prior to the security breach, including personnel responsible for maintaining the security of the network," said the complaint, as obtained by Gamasutra.

The court document alleged that two weeks prior to the April breach, Sony "laid off a substantial percentage of its Sony Online Entertainment workforce, including a number of employees in the Network Operations Center," which is responsible for preparing and responding to security breaches, a confidential witness said.

In March this year, SOE laid off 205 workers and closed three studios.

The suit also alleged that Sony "spent lavishly" to safeguard its own proprietary development server, the PS DevNetwork, "but recklessly declined to provide adequate protections for its customers' personal information," citing a confidential witness who was an employee with Sony Computer Entertainment America from 2006 to 2008, and with SOE for five months in 2010, according to the suit.

Sony also knew that its network security was weak "because it had experienced hackings of sensitive data on a smaller scale prior to the massive security breach," the suit claimed.

Another confidential witness, a platform support engineer for SOE from 2006 till March 2011, claimed that "Sony's technicians only installed firewalls on an ad-hoc [emphasis in original] basis after they determined that a particular user was attempting to gain unauthorized access to the network." The suit claimed that the practice fell short of widely-adopted security standards.

And another confidential witness, a senior project coordinator for SCEA from June 2000 till March 2011, "expressed an utter lack of surprise" about the breach, "since he and others at Sony knew it had been breached on prior occasions as well," the complaint claims.

The suit names Sony Corporation of America, Sony Computer Entertainment America, Sony Pictures Entertainment and Sony Network Entertainment International as defendants.

In April, hackers attacked PSN and obtained sensitive personal information from 77 million user accounts. The company said it "could not rule out the possibility" that credit card information had been compromised, and took down the service on April 20.

Soon after, the company said nearly 25 million SOE game accounts were compromised, and shut down SOE's Station.com online PC games service. Sony eventually restored all online game services in most territories by early June, and vowed that it had beefed up its network security.

The suit was filed this week on behalf of a larger class by New York residents Felix Cortorreal, Jacques Daoud Jr. and Jimmy Cortorreal. The plaintiffs are seeking actual damages in the amount paid for the equipment and network, and "appropriate restitution" for class members, among other forms of relief.

Gamasutra has contacted SCEA for comment.


Related Jobs

Next Games
Next Games — Helsinki, Finland
[10.31.14]

Senior Level Designer
Activision Publishing
Activision Publishing — Santa Monica, California, United States
[10.31.14]

Tools Programmer-Central Team
Vicarious Visions / Activision
Vicarious Visions / Activision — Albany, New York, United States
[10.31.14]

VFX Artist-Vicarious Visions
Magic Leap, Inc.
Magic Leap, Inc. — Wellington, New Zealand
[10.30.14]

Level Designer










Comments


Alan Rimkeit
profile image
How about significant damages suffered by the people who are filing the law suit? None? A little? The law suit all depends on how much damage was done. If none was done good luck winning a law suit.



All of these "inside informants" will also have to testify in court too. What proof do they have? Besides here say of course. My money is on Sony winning this one.



Also, wtf does this mean?



"The plaintiffs are seeking actual damages in the amount paid for the equipment and network, and "appropriate restitution" for class members, among other forms of relief."



I would also like to point out that a new law here in Texas is making it so the loser of a law suit judged to be frivolous is made to pay all legal fees and court costs of the group/person they sued. They should do that on a federal level. See how many law suits are filed then if no actual damages were suffered.

Fiore Iantosca
profile image
The lawyers are out to make a quick buck. Pretty sad.

Adam Bishop
profile image
Something you directly witnessed isn't hearsay.

Alan Rimkeit
profile image
"Adam Bishop

24 Jun 2011 at 8:23 am PST



Something you directly witnessed isn't hearsay."



Evidence? No evidence? Then it is hearsay.

Tyler Martin
profile image
Adam is correct Alan. Hearsay would be hearing something second hand. As in not witnessing an event but being told about it by someone after the fact.



For example, if I claimed I witnessed my boss slapping an employee it wouldn't be hearsay, but if I said that Joe told me HE saw our boss slap an employee that is hearsay because I didn't witness it.



What you're talking about is having to corroborate the testimony of these witnesses, but even if you didn't have evidence backing up what they say that doesn't make it hearsay. It just means the testimony isn't as strong as if other evidence corroborates it.

Matthew Mouras
profile image
That doesn't sound like a good law being implemented in Texas, though I'm sure it will play well as a soundbyte on the news. Admittedly, I'm not a lawyer, but I have to believe the system doesn't work like that for a reason.

Glenn Sturgeon
profile image
Is there something I'm missing?

"The plaintiffs are seeking actual damages in the amount paid for the equipment and network, and "appropriate restitution"



So are the plaintiffs the owners of the server PSN was hosted on? Thus the use of the term "the equipment" If not I cant see how the cost of equipment and network could be relevant.

And even if so they would have to prove the hack coused physical or irreversible proformance damage to the servers.

Sounds like a law suit cash grab attempt to me from whats posted here.



The problem with online security is your never totaly secure if you are connected to the net.

And at what point do you decide your security employees are "topped out" as far as thier abilities and you need smarter people to take thier place. Oh yea when they fail and you get hacked..

Is it realy neglect to have less security personel since one truely competent programmer is worth 100 that are mediocre? (not saying that the ones let go were mediocre in any way or that the ones who kept thier jobs where any better)

I'm just saying isn't less that are great at what they do just bogged down by people that are only good?

You would expect if sony let some people go it wasn't likely the ones they thought were best within thier security team.

I do see in most "peoples perception" there is a belief that there is more competents in volume of people, but those with true mastery of any skill know better than that.



IMO Alot of this comes down to "if sony would have "just had paypal support" for PSN then surely alot of the possible damaging info that was taken would not have even been on thier server.

Do you realy care if people have your name, address, email addy and a single password? Thats all i had on PSN so its not a worry to me. They can look in a phone book and get most of the info that was taken from alot of the PSN accounts. Besides who tells the total trueth when signing up for anything on line 8)

Oh right "i realy do" live at 1313 mockingbird Ln and im 30YO

R G
profile image
There may have been a hacking group, but I stand by the "inside job" sentiment. Idk, just makes sense. Posting on public domains, Sony gets hacked numerous times, etc.



Of course, I'm most likely wrong. C'mon Scoobs, let's go :).

michael dilts
profile image
I say inside job. This is absolutely ridiculous.



I mean, is anyone in here going to actually follow the case for the next 3 years (haha probably more) to see what actually happens? I love gamasutra for always putting up ACTUAL court documents for us to read. Seeing as they haven't done that for this yet then everything in here is speculation.



One thing I want to add: If you think even for a second that someone at Sony isn't at fault here for being negligent then you have got to be living under a rock.

Bryan Wagstaff
profile image
The fact that they laid off workers isn't anecdotal or through anonymous sources. It is well documented and easily proven.



The difficulty is showing that laying off those workers had a specific impact on the security of the machines that were hacked. I agree that Sony does have some culpability in having such lax security in place, but the blame of the crimes still lies with the attackers themselves.



Can this civil case prove that laying off the workers directly impact these specific machines? Or were the machines insecure prior to that date? If they were already insecure then this evidence is moot. Since they claim they had been hacked before and they notified company officials, that would tend to invalidate this avenue that the layoffs had a significant impact.



When someone breaks into a car you blame the thief. If you can show the locks were defective you potentially have a civil claim against the manufacturer, but the blame for the crime still lies with the criminal. This case is not so different. Sony may have some fault in a civil matter for not properly securing their systems, but don't forget the crime was the theft by the actual criminals who broke in.

Clarinda Merripen
profile image
When guarding financial data, the standard for culpability is higher than other information. Sony "admits" to hackers "possibly" having accessed "23,000 credit card numbers and bank account numbers".(1) However, the Telegraph sites a sale of 2.2 million cards for sale directly from these hacks.(2) That's quite enough people for a class action.



In fact, because of the vast number of stolen card information from the Sony breach, the price of a stolen number dropped over the last month.(3) If you are interested in how to the stolen credit card market works, check out this great story from Planet money. (4)



Even if the information is "your name, address, email addy and a single password?" Having gone to Defcon for the last 3 years, and listening to what people do with just a bit of information, it can be quite damaging. Professional online thieves create profiles of users built by using small bits of information. The profiles are then traded and sold. What struck me about the talks I attended, that many of the people doing this aren't "teen hackers" but really high level professionals often outside of the US in very organized groups (i.e. the Russian Mob). It's a reasonably cheap, low risk high yield endeavor. With 77 million users to play with, you can bet they'll be working very hard to extract some financial gain.



Whether or not the layoffs had a direct effect on the hack is debatable. Certainly their standards for level of encryption of information can not be sited. That decision was certainly made by others long before the layoffs. The key questions are, "Did the layoffs effects routine security upgrades and maintenance to servers?" and

"Was systems monitoring effected by the lack of people or by the transition?". One or two missed maintenance windows with well known security holes could lead to a lot of damage.



Then there's the ancillary HR question: Did the company secure the system from those laid off? Since much of corporate espionage comes from those with a pissed off past, it is a very pertinent question.





1) SOE Press Release May 2, 2011

2) PlayStation Hack: Credit Card Data 'For Sale', April 29, 2011 http://www.telegraph.co.uk/technology/sony/8483183/PlayStation-ha
ck-credit-card-data-for-sale.html

3) How Credit Card Data Is Stolen and Sold, New York Times, Nick Bilton, May 3, 2011, http://bits.blogs.nytimes.com/2011/05/03/card-data-is-stolen-and-
sold

4) How to buy a stolen Credit Card, Planet Money, Zoe Chase, June 17, 2011, http://www.npr.org/blogs/money/2011/06/20/137227559/how-to-buy-a-
stolen-credit-card

Tim Agnew
profile image
Am I the only one to notice that the layoffs were at SOE and not at SCEA? SOE has nothing to do with the PSN. They are different companies with totally different IT departments and different networks. They both are subsidiaries of Sony corporate but there is no technical work between the two. So how did SOE laying off workers have anything to do with the PSN hack?

Clarinda Merripen
profile image
At the time Sony was transferring from Sony Computer Entertainment America to its Sony Network Entertainment America subsidiary.(1) SNEA was an existing company that already managed "the online operations of other Sony products such as Bravia, Blu-ray Players and Dash."(2)



Kazuo Hirai, a rising Sony executive, grew the PSN to 74 million users in two years. (3) That's a very fast growth for any online infrastructure. As of a March 10th press release, Sony was "realigning it's key business components" which meant a shakeup. On March 25, the same day the studio layoffs were announced, Sony announced the switch from SCEA to SNEA. According to a talk Mr. Hirai gave at CES in January, Sony was preparing to introduce "a new corporate unit tasked with the expansion of the increasingly vital PlayStation Network architecture" with the eventual goal of creating a "PSN virtual wallet" that spanned all Sony devices from Bravia TVs to Ericsson phones. That's a tremendous strain on the network infrastructure and architecture.



I'm not sure we'd hear about the layoffs that switch would create since it is more on the tech side than then development. It's not really newsworthy for the gaming community. But the dates of the SOE layoffs coincide with the announcement of larger transfer of responsibilities.



In the midst of all that corporate upheaval add in the April 6th earthquake, contributing to an economic downturn leading to some belt tightening.



So you have the perfect recipe for something bad to happen:



1- Push from the top to expand really, really fast

2- Changing responsibilities from one existing corporate entity to another

3- Trying to link many types of hardware together under an existing, older, intact architecture

4- Natural disaster.





1) Sony Network Entertainment America Taking Over SCEA's Online Services, Gamasutra, Mike Rose, March 25, 2011, http://gamasutra.com/view/news/33703/Sony_Network_Entertainment_A
merica_Taking_Over_SCEAs_Online_Services.php

2) PlayStation Network services transferring to SNEA, Afterdawn, James Delahunty, March 27th, 2011 http://www.afterdawn.com/news/article.cfm/2011/03/27/playstation_
network_services_transfering_to_snea

3) Sony Global Press Release, May 7th, 2011

Harlan Sumgui
profile image
From what I know a grand total of 5 network security specific employees were let go. And we do not know what kind of employees they were (good? bad? drunk?). Trying to blame the layoffs in one dept for the failings of another is a real stretch. And we don't even know the extent of the failings. I mean if a hardened organization like Lockheed Martin can be compromised then...



Sony's response to the criminal intrusion insofar as taking care of it's customers has been exemplary. IMO, this lawsuit could only have been filed in the US. Nonetheless, I like the US legal system as lawsuits keep corporations honest. In many countries, the ability of citizens to sue corporations is severely limited. For example, in Canada an employee who is injured/maimed/killed by an employer's negligence CANNOT sue at all. And while the employer may be fined by the government, the employer does not have to give any compensation to the employee, no matter how egregious the negligence is. The employee would get some compensation from some bureaucratic arm of the govt, but nothing like what he would have gotten if he had been able to sue, like in the US.

Leandro Pezzente
profile image
I read an hypothesis that SOE didnt "salted" their server password's hashes , so giving that today gpu's raw computer power can calculate rainbow hash tables in just seconds , lets say that should be a pretty costom practice.

Keith Patch
profile image
Why didn't the network security personnel catch/handle this before the breach? Maybe they would have kept their jobs... had they actually been doing them.



I will admit, it's a bit rude of me to say they were not doing their jobs (without knowing the actual situation)... but for now I'll stick to my speculation.

Scott Southurst
profile image
Agreed...



As a side note, a colleague of mine today found out that his credit card (the one linked to his PSN account) was used to purchase something off apple.com on the weekend. I'll be interested to see how many of the Credit Cards (who's details "weren't" hacked according to Sony) experience a similar occurence.

Lyon Medina
profile image
I am not an attorney. I don't study law. So I won't interpret something I have no idea about or care for in that manner. Was Sony "negligent", who cares really?



What I do think that is here that is important. It's that there was something done wrong that Sony happens to be at the forefront of attention here. These people were laid off and something happened, maybe not because of it specifically, but maybe something could have been done to prevent it. Now the obvious answer to that is, "What? What could have been done? What's my brilliant idea?" Not to be a Captain hindsight. Because that will always be 20/20, but test your network constantly. One thing that Microsoft does so well is hire the talent that cracks it's network and get them to create security measures they cannot crack.



Sony made a big deal about the GeoHotz mod/hack/breaking/breach/what ever else you can think to call it and attracted the attention of the modding community. In the worst way possible. This is just all negative publicity. They need to get all of this behind them in a good way. If they try to brag its just gonna end up bad.


none
 
Comment: