In 2011, a hack to Sony’s PlayStation Network exposed names, addresses and credit card data connected to 77 million user accounts. Sony finally settled the resulting class action in July, agreeing to give away $15 million worth of games and services to affected customers, and racking up $396,000 in fees under the U.K.’s Data Protection Act.
“If you are responsible for so many payment card details and login details, then keeping that personal data secure has to be your priority. In this case, that just didn’t happen, and when the database was targeted—albeit in a determined criminal attack—the security measures in place were simply not good enough,” said David Smith, deputy commissioner and director of data protection at the U.K. Information Commissioner’s Office. “[Sony] is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
Despite this costly lesson, just three years later, hackers calling themselves the Guardians of Peace made headlines by breaching the company’s defenses once again. The group demanded that Sony Pictures Entertainment cancel the release of The Interview, a controversial film in which stars Seth Rogan and James Franco execute a plan to assassinate North Korean president Kim Jong Un. The hack exposed reams of personal information about Sony staff, including Social Security numbers for 47,000 current and former employees, health insurance reimbursements, performance evaluations, salary spreadsheets for 6,800 global employees, personal employee files, doctors’ letters explaining the medical rationale for leaves of absence and even one executive’s breastfeeding schedule. Medical records of employees with particularly costly treatment requirements were revealed, as were detailed discussions with insurers over denied claims for surgeries and therapy sessions.
Current and former employees charge that Sony maintains a notably lax approach to data security throughout the corporation. Just 11 people are assigned to the information security team out of a company of 7,000 employees, according to leaked files discovered by Fusion. As a result, employees have so far filed four class action lawsuits alleging that the company put them at risk.
“Defendant has failed to take reasonable steps to secure the data of its employees from hacking and other collateral attacks despite its having a duty to safeguard its employees’ data,” one filing read. “Only three years ago, Defendant incurred one of the largest data breaches in history.”
The suit continued, “In the wake of that data breach, Defendant conceded that a ‘known vulnerability’ was exploited, and subsequent analysis from the information technology community confirmed that Defendant had failed to put into place even the most rudimentary security protocols.”
While leaked emails drew headlines for exposing contests of ego and other insider fodder for gossip, the data dump revealed far more about rank-and-file employees. Much of this information was stored in unencrypted files that often were not even password protected, creating an easy target for hackers. Indeed, one directory was simply called “passwords,” housing more than 100 documents containing logins and passwords for business services like LexisNexis and Bloomberg as well as personal financial services like Fidelity.
Just 11 people are assigned to Sony’s information security team out of a company of 7,000 employees, according to leaked files discovered by Fusion.
In an internal email obtained by technology news site Re/code, Sony CEO Michael Lynton shared a note with employees from Kevin Mandia, head of security firm Mandiant, which Sony hired to investigate and clean up the breach. Mandia called the Sony hack an “unparalleled crime” carried out by “an organized group,” and claimed that “neither SPE [Sony Pictures Entertainment] nor other companies could have been fully prepared.”
“The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat,” Mandia wrote.
Past and present employees disagree, however, claiming that overall security was unacceptably weak given the broad risk of cyberbreach. “For decades, [Sony] failed, and continues to fail, to take the reasonably necessary actions to provide a sufficient level of IT security to reasonably secure its employees’ [personal information],” one of the suits asserted.
Calling the breach an “epic nightmare much better suited to a cinematic thriller than real life,” the plaintiffs also claim that Sony failed to adequately notify former workers who may have been affected. “Put simply, Sony knew about the risks it took with its past and current employees’ data,” they wrote. “Sony gambled, and its employees—past and current—lost.”
The breach itself is expected to cost Sony Pictures at least $15 million to rebuild the computer network and conduct a forensic investigation of the attack. The studio has also procured third-party identity protection services for employees. Some of the reputational damage has already subsided, though, with The Interview exceeding expectations in both online and limited theatrical release and furor over the leaked emails falling out of the news cycle. The studio even closed out the fourth quarter with $20 million in earnings—a net gain. Nevertheless, the incident may have prompted the resignation of co-chairman Amy Pascal and additional legal ramifications could come with an even bigger price tag, as well as far-reaching implications for other employers.
Sony Pictures is based in California, which has some of the country’s strictest laws protecting the privacy of medical records. Government penalties for unlawful disclosure of that data alone could reach millions of dollars. “Civil code requires any medical information to be kept separate from other employee information. It needs to be maintained behind a security system,” privacy attorney Peter Rukin told the Washington Post. While it is unclear what kind of system the company used, he noted that it “should have been under lock and key.”
According to Princeton law professor Andrea Matwyshyn, the case against Sony may be stronger than previous class actions over data breaches because employers have a duty of care for their employees that goes beyond the duty of care owed to customers. “This is untested territory, but employers are held to a higher standard of care with respect to the safety of their employees,” she told the Associated Press. “Employers, for example, are responsible for providing a safe work environment for their employees and there are OSHA rules around the physical safety of employees. So it is arguably a natural extension that heightened levels of care would also extend to data management.”
While employees’ Social Security numbers and financial records are sensitive, the medical information involved in the Sony breach raises new questions that could affect other companies involved in breaches. Sony is not a healthcare facility or so-called “covered” entity as defined under the federal statute HIPAA. Therefore, it is not subject to the same requirements for securing medical data that governs hospitals and doctors, Matwyshyn said. But California law requires employers to secure employee medical records, and that would apply to Sony. The company could also face problems in Europe, where data-protection laws are often much more extensive.