Sony Settles Data Breach LawsuitAgreement Follows April 2011 Breach that Affected 77 Million
Sony Computer Entertainment America has agreed to settle a class action lawsuit that stemmed from an April 2011 data breach that compromised the personal information of 77 million customers of Sony's PlayStation Network and Qriocity service (see: Sony Breach Ignites Phishing Fears).
See Also: The Global State of Online Digital Trust
As part of the settlement, impacted individuals, depending on the claim, can receive free games, subscriptions to online services, virtual currency and compensation for identity theft remediation costs, among other benefits, Sony says in a statement provided to Information Security Media Group.
"While we continue to deny the allegations in the class action lawsuits, most of which had been previously dismissed by the trial court, we decided to move forward with a settlement to avoid the costs associated with lengthy litigation," the company says. "To date, the Sony entities have received no confirmed reports of identity theft linked to the attacks, and there is no evidence that anyone's credit card information was accessed."
Sony says the proposed settlement is subject to court approval before it becomes final.
The lawsuit was filed on behalf of everyone in the U.S. who had a PlayStation Network account, a Qriocity account, or a Sony Online Entertainment account, the settlement says.
The breakdown in settlement payouts is as follows:
- Payment equal to paid balances in PSN or SOE accounts that have been inactive since the intrusions;
- One or more of the following: a free PS3 or PSP game, or a free 3-month subscription to PlayStation Plus;
- A free month of Music Unlimited for Qriocity accountholders who did not have a PSN account;
- $4.50 in SOE station cash, Sony's virtual currency, for SOE accountholders; amounts will be reduced if claims exceed $4 million.
Sony has agreed to pay the plaintiffs' attorneys' fees, costs and expenses up to a combined total of $2.75 million, according to the settlement. Attorneys for the plaintiffs could not be reached for comment.
In April 2011, Sony confirmed that hackers had attacked its PlayStation Network. Names, addresses, dates of birth and account passwords were exposed for customers of Sony's PlayStation Network and Qriocity service.
The attacks occurred between April 17 and 19, 2011, forcing Sony to shutter the PlayStation network on April 20. The outage lasted for more than three weeks.
Sony said the hackers used distributed-denial-of-service attacks to camouflage simultaneous intrusions that resulted in the exposure of the personal information (see: Sony: DDoS Masked Data Exfiltration).
At the time of the attacks, Sony did not have a chief information security officer. In September 2011, Sony tapped Philip Reitinger, a former top cybersecurity policymaker at the Department of Homeland Security, as its CISO and senior vice president (see: Ex-DHS Official Becomes Sony's CISO).
Following the incident, the UK Information Commissioner's Office fined Sony Â£250,000 - nearly $390,000 - for not taking appropriate steps to safeguard customers' personal information (see: Sony Vacates Appeal of PlayStation Fine).
David Smith, Britain's deputy information commissioner and director of data protection, said Sony failed to secure its customers' personal details. "The security measures in place were simply not good enough," he said. "There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
When British authorities levied the fine against Sony, company spokesman Jonathan Fargher said the Information Commissioner's Office recognized that Sony was victimized by a focused and determined criminal attack, and no evidence exists that hackers accessed encrypted payment card details and that personal data was used fraudulently.