Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
September 23, 2014
arrowPress Releases
September 23, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


Class Action Lawsuit Brought Against Sony Over PSN Data Breach
Class Action Lawsuit Brought Against Sony Over PSN Data Breach
April 27, 2011 | By Kyle Orland

April 27, 2011 | By Kyle Orland
Comments
    40 comments
More: Console/PC, Business/Marketing



The Rothken law firm has filed a federal class action lawsuit against SCEA on behalf of the 77 million PSN customers it says were harmed by "one of the largest data breaches in the history of the internet."

The complaint [PDF], filed in California district court on behalf of one Kristopher Johns and other PSN members, accuses Sony of "failure to maintain adequate computer data security of consumer personal data and financial data," with tools such as firewalls and encryption.

This security failure puts the company in violation of the Payment Card Industry Data Security Standard meant to protect credit card data, as well as legal security requirements for protection of customer records, the suit alleges.

The 22-page suit also accuses Sony of failing to warn customers of the possibility that such a breach was possible, and of "false advertising and unfair business practices" surrounding previous statements about account security.

The firm is seeking compensation for the "extra time, effort, and costs" customers spent for credit monitoring and card replacement in the wake of yesterday's revelation that their data might be compromised, as well as compensation for the inability to access PSN and Qriocity services since last week.

"Sony’s breach of its customers’ trust is staggering," said Rothken co-counsel J.R. Parker, in a statement. "Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't."

Affected parties can sign on to the case or provide information regarding the investigation by contacting the law firm through a web form or by phone.


Related Jobs

Phosphor Games Studio
Phosphor Games Studio — Chicago, Illinois, United States
[09.23.14]

Jr. Programmer – Unity
Machine Zone
Machine Zone — Palo Alto, California, United States
[09.23.14]

Game Designer
Machine Zone
Machine Zone — Palo Alto, California, United States
[09.23.14]

QA Tester (Android Games)
InnoGames GmbH
InnoGames GmbH — Hamburg, Germany
[09.23.14]

Mobile Developer C++ (m/f)










Comments


Marcus Miller
profile image
It was only a matter of time before someone decided to sue. No surprise here.

Nicholas Ulring
profile image
This isn't about justice. Just a blood sucking lawyer trying to make money. Hopefully Sony will ditch PSN and adopt Steam.

Sean Currie
profile image
If what comes out of this is a next gen console powered by Steam then the hackers can have the rest of my credit cards too.

Nicholas Ulring
profile image
I doubt it will happen but Steam with Portal 2 is a start.

kevin Koos
profile image
So how dare the lawyer go after the company making billions of dollars that doesnt feel the need to maintain proper security. Any company making money off of 77 million account holders should be held accountable. But the icing on the cake is they were just hacked, they knew they were vulnerable but instead of taking down the network to ensure it was safe they brought it right back up and put everyone at risk so they could continue to make money.

Eric Geer
profile image
I really just want PSN back online...i can deal with the credit card issues/"identity theft"---is it really that hard to get a new credit card(most cards have fairly good security/insurance

on them anyway)---and how much information could the hackers really gotten from the account?...name address phone number psn password/id and email---if you told me your name i could find all that out --less the password.

Todd Boyd
profile image
Yeah; identity theft is no big deal. Wait.. what??!

Matthew Cooper
profile image
As long as I can play Codblops online, I don't care what my identity is!

Eric Geer
profile image
All I'm sayin is that the "identity theft" isn't really a threat--Credit Card companies have gotten really good at detecting fraudulent charges--and 9.5/10 you will never see a charge for it...you never have a penalty...



I've had fraudulent charges on my credit cards and debit cards...most of the time I get a call within 15 to 20 mins that there has been suspicius activities on your card--only time I ever had to suck it up was when I left my debit card in the ATM and the unfriendly citizen nabbed up like 100 bucks.

Jordon Biondo
profile image
If someone stole my phone, could my friend sue me because the thief now knows my friends number?



That just sounds ridiculous to me, If any outside group besides PSN customers profit anything from this breach I'll be quite upset.

Matthew Mouras
profile image
Why would they? The dispute is between Sony and PSN users.

Rey Samonte
profile image
Hrm...there's a big difference between crank calls vs. credit card debt that isn't yours.

Ben Lippincott
profile image
Well, if you made everyone you knew sign a legal document before considering them your friends then I would think that them taking you to court over a breach of trust wouldn't be too weird.



You're really comparing apples to zeppelins here.

Lo Pan
profile image
I'd like the hackers involved to be caught and perform 25 hours of community service with LiLo in the LA Morgue.

Tom Loughead
profile image
"We exclude all liability for loss of data or unauthorised access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network,"



And Sony walks out of court that afternoon with the lawsuit dismissed.

Adam Bishop
profile image
That's not how the law works. Companies have certain legal obligations to protect certain kinds of user data, and those obligations can't just be thrown out by claiming so. It is not uncommon for courts to throw out portions of contracts that they deem unenforceable.



Also, does anyone have a link to the actual document in question that supposedly says that? I can't actually find it through a Google search and it's definitely not in the Playstation Network Terms of Use (as seen here: http://us.playstation.com/support/termsofuse/). It does say that they won't be held responsible for the loss of *unsecured* user data (ie. if you give your password out to your friends), but that's clearly not what we're talking about here.

Doug Poston
profile image
"It does say that they won't be held responsible for the loss of *unsecured* user data..."



There's the loophole. If Sony didn't secure your credit card data, they can't be held responsible. ;)

Adam Bishop
profile image
I linked to the wrong document last time. Here's the correct one:



http://us.playstation.com/support/useragreements/termsserviceagre
emt/index.htm



And here's what it says about liability:



"YOUR SOLE AND EXCLUSIVE RECOURSE IN THE EVENT OF ANY DISSATISFACTION WITH OR DAMAGE ARISING FROM SONY ONLINE SERVICES OR IN CONNECTION WITH THIS AGREEMENT AND SCEA’S MAXIMUM LIABILITY UNDER THIS AGREEMENT OR WITH RESPECT TO YOUR USE OF OR ACCESS TO SONY ONLINE SERVICES SHALL BE LIMITED TO YOUR DIRECT DAMAGES, NOT TO EXCEED THE UNUSED FUNDS IN YOUR WALLET AS OF THE DATE OF TERMINATION. EXCEPT AS STATED IN THE FOREGOING SENTENCE, SCEA EXCLUDES ALL LIABILITY FOR ANY LOSS OF DATA, DAMAGE CAUSED TO YOUR SOFTWARE OR HARDWARE, AND ANY OTHER LOSS OR DAMAGE SUFFERED BY YOU OR ANY THIRD PARTY, WHETHER DIRECT, INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL AND HOWEVER ARISING, AS A RESULT OF ACCESSING OR DOWNLOADING ANY CONTENT TO YOUR PLAYSTATION 3 COMPUTER ENTERTAINMENT SYSTEM, THE PSP (PLAYSTATION PORTABLE) SYSTEM, BRAVIA TELEVISION, SONY BLU-RAY DISC PLAYER OR ANY HARDWARE DEVICE, OR USING OR ACCESSING SONY ONLINE SERVICES. UNLESS THIS PROVISION IS UNENFORCEABLE IN YOUR JURISDICTION, THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE."



So, to be clear:



a) it doesn't even attempt to over-ride any rights you may be granted by law

b) they agree that they will pay monetary damages if the circumstances dictate

c) this liability only relates to damage sufferred *while accessing content*. It says absolutely nothing about info being stolen from Sony.

Maurício Gomes
profile image
You forgot that EULAs are not like that...



Between the law, and the EULA, (theoretically) the law always wins.



EDIT: I left this page open, and commented some hours later... When I wrote the comment, there was no replies.

Mark Harris
profile image
"UNLESS THIS PROVISION IS UNENFORCEABLE IN YOUR JURISDICTION"



There are federal and state laws that directly address the protection of PII. Therefore this agreement could be very much in contradiction with local law, and is then considered invalid.



Sony can't absolve themselves from following laws with some tricky contract wording. For the same reason, if you sign a contract with someone that says you can kill him, you aren't going to get away with the murder. Your contract was invalid the moment it contradicted local laws.



Now, their liability should still be limited to any direct loss sustained by the user, or subsequent losses incurred through identity theft related to this breach. Normally in this situation companies settle and agree to return any direct losses and pay for credit monitoring/protection for a certain period of time. I imagine it will go about the same in this situation.



It gets trickier when you're talking about developers and lost revenue and all that, but that is probably governed by a different contract. As far as the PSN users go, you're not going to see much real compensation.

Alex Leighton
profile image
It's a tricky situation, I think before it can be decided if Sony was providing enough security, it has to be decided what exactly enough security is. Nothing is going to be 100% secure, and I think people need to realise this before they trust anyone with their personal information.



I also find it kind of interesting that most people seem to be blaming Sony, and not the actual hackers. Sure, it's doubtful that we'll find out who they are, but they're the villains here.

Christopher Enderle
profile image
Considering the recent Supreme Court ruling, I hope the EULA doesn't have an arbitration clause.

Evan Combs
profile image
Seriously, this isn't 1995, and there is only so much a company can do to stop attacks. If they can prove that Sony didn't take adequate measures, sure this lawsuit is fine, but I highly doubt a company as large as Sony would have sub-par security.



The only thing that Sony should be required to do in this situation is inform all users who had their information stolen as soon as they know who so they can take action to protect themselves.



I know this isn't how it is in America, there is no more personal responsibility, but this lawsuit should only be upheld if Sony did not take adequate steps to protect the information or if Sony didn't inform those who's information was stolen immediately. To me those are the only reasons that Sony should be liable for anything. Of course though this is 2011 so Sony will be forced to pay everyone $1million just because someone was able to outsmart what is most likely some of the best security out there.

Mark Harris
profile image
Many times the point of these suits is to get information from Sony on the exact nature of the breach and what was stolen, since companies aren't necessarily forthcoming with all the details. Some lawyers make money, but often there isn't a huge money transfer from company to individuals.



Also, Sony will assuredly be heavily investigated, and I'd be surprised if there weren't some sanctions, requirements, and fines levied by whichever government agency is in charge of this (likely the FTC).

Amir Sharar
profile image
I was listening to CBC Radio today and one security expert claimed that Sony actually uses the Amazon EC2 services for PSN. He went on to say that the legal documents between these sorts of cloud services typically do NOT accept liability for security breaches, even with high profile clients.



If this is the case, it definitely changes the issue, someone has to accept that liability, and as consumers we assume that Sony would be liable for the security of our personal data, but that assumption may be completely wrong. I have the same assumption for PayPal, online banking, online purchases, etc. and perhaps this mentality is wrong.

Jonathan Murphy
profile image
This was mentioned before. When you put all your eggs in one basket. It's begging to get smashed. Sony should have kept store accounts, online game accounts, and everything else separate from each other. When you make a toaster that burns down a house, or a service that loses credit card information(because you ignored warnings), someone must be held responsible.

Tom Baird
profile image
And with regards to Credit Card #s, they did keep them separate.



http://www.gamasutra.com/view/news/34337/Sony_Credit_Card_Data_Wa
s_Encrypted_No_Evidence_To_Suggest_It_Was_Stolen.php

Marcus Miller
profile image
Sony will come out of this smelling like a rose. They did nothing wrong. They are the victim here.

Mark Harris
profile image
Please, please tell me you're being sarcastic.

Dan Edward
profile image
If you're serious, this is maybe the most insane thing I've read all year, Marcus. No one damaged or destroyed Sony property. No one stole money from them or shut down their network. The victims are the consumers, HTH!

Ujn Hunter
profile image
Sign me up. I'd also like Linux back... kthnx!

Matt K
profile image
For those saying Sony should have tightened up security:

"The Black Swan Theory is a metaphor that encapsulates the concept that: The event is a surprise (to the observer) and has a major impact. After the fact, the event is rationalized by hindsight."



Sure there may have been warning signs but there is no reason Sony should have expected this to happen. It was mostly out of nowhere but some people are looking back and saying things about Anon's attacks and geo's hacks being these warning signs Sony should have heeded.

Mark Harris
profile image
Um, no, this isn't hindsight since they were warned by the whole Geohotz thing that they had security issues. They should have immediately scheduled a full third party security audit for their entire operation, and especially for the PSN which holds PII and financial information. Even further they were directly threatened by a hacking group and still didn't suspend outside connections and do the audit.



Honestly they should have been undergoing frequent (try twice per year) network security audits anyway. Yes, it is expensive, and yes it's a pain in the ass, but you do that so you don't run into THIS.



It's not just Sony either, there are a ton of government agencies here in the US as well as local and state governments that routinely fail security audits or don't conduct audits at all. It's actually pretty frightening how many people have your data stored somewhere with literally no security in place whatsoever.



Until these kinds of breaches are taken seriously and punished accordingly we will continue to have massive issues with identity theft and fraud. That ends up costing all of us money in the long run with increased costs for goods, increased taxes for law enforcement, etc.



In medicine they say "an ounce of prevention is worth a pound of cure". It applies here as well.

Matt K
profile image
Is that what typically happens after someone hacks a product? I didn't see microsoft, apple, or any other device companies have their customers information stolen after their product was hacked, so this wasn't something predictable. Companies get threatened to be "hacked" all the time, whether its by people frustrated with a service with no real hacking skills or by actual hackers, it rarely gets followed through with.

Mark Harris
profile image
Yes, when someone discovers a game-breaking hack that literally cannot be fixed with a firmware upgrade to a product that is connected to your network on the order of tens of millions, yes, you are damn straight that's what happens.



Any company that doesn't take a serious look at their network when devices that connect to that network are irrevocably hacked is asking for trouble.



Honestly, they stored customer info in plain text. PLAIN TEXT!

Matt K
profile image
There's just too much missing information that an outside person would need to start drawing conclusions at this point. Do we know Sony doesn't hire outside companies for security check-ups or even do the check ups themselves on a regular basis? Did they take any kind of security measures when they found out the PS3 was finally hacked?

Maybe the could have prevented it, but from the little information that we have we can't make any solid conclusions, aside from the obvious.

Mark Harris
profile image
If they hired someone to do security audits then either those companies need to be put out of business or Sony didn't follow their advice. No security company on the planet with any shred of awareness would overlook non-encrypted personal data accessed from an open network. That's so blatant it's absurd.



Beyond that they didn't shut down the PSN after the initial hack, only once the PSN itself was compromised, and not just compromised, but absolutely gutted. I've seen companies go on lockdown for much less than the PS3 hack.



Technically yes, we don't know much (even though you can infer a lot of security issues by what we do know), and that is one reason for the lawsuit. Sony isn't giving much info out, and the people who were exposed deserve more.



Full disclosure : I work for a data company, and we have all your data. Seriously, ssn, name, address, phone numbers, dmv records, credit records, insurance records, criminal records, known associates, you name it. We take security VERY seriously, since if that stuff gets out it's curtains for you and us. Sony, from what I can infer so far, was at least somewhat negligent in their security.

Rodan Mistiff
profile image
If everyone of the 77 million users got $100.00 Sony would be in the hole 7.7 billion dollars. So pretty much if it was any more money than that, Sony would be filing for Bankruptcy protection.



Good by Sony - Thanks for innovating the game industry. Now go play with the Dreamcast.

Mark Harris
profile image
Won't happen. No court will drive Sony out of business because of this. Sony will end up with a hefty burden here, but mostly in cheap credit monitoring bought en masse for customers in countries that require it. They will pay millions in fines over the years to different government agencies if they are found to have been negligent in their security measures.



Outside of that there will be reparations for those who lose PSN credits or fringe cases of identity theft stemming directly from this breach.



It will hit Sony, but by no means will it drive them out of business.

michael dilts
profile image
Did anyone actually read the complaint? If you notice they actually site code (which you can lookup on public domains) and they actually list there complaints and demands therein.



my personal favorite:



6) An order requiring Defendant to immediately cease its wrongful conduct as set

forth above; enjoining Defendant from continuing to falsely market and

advertise, conceal material information and conduct business via the unlawful

and unfair business acts and practices complained of herein; ordering

Defendant to engage in a corrective notice campaign; and requiring Defendant

to refund to Plaintiff and all members of the Class the funds paid to Defendant

for the defective PlayStations and PSN services; ordering Defendant to pay for

credit card monitoring for Plaintiff and all members of the Class.



now that is HILARIOUS


none
 
Comment: