Suit Alleges Sony Laid Off Network Security Employees Just Before PSN Breach

A new class action lawsuit filed against Sony and its subsidiaries over the PlayStation Network security breach alleges that the company fired a number of network security employees just prior to a cyber attack that left over 100 million accounts compromised across PSN and Sony Online Entertainment. "Sony sought to cut its costs at the expense of its customers by terminating a significant number of employees immediately prior to the security breach, including personnel responsible for maintaining the security of the network," said the complaint, as obtained by Gamasutra. The court document alleged that two weeks prior to the April breach, Sony "laid off a substantial percentage of its Sony Online Entertainment workforce, including a number of employees in the Network Operations Center," which is responsible for preparing and responding to security breaches, a confidential witness said. In March this year, SOE laid off 205 workers and closed three studios. The suit also alleged that Sony "spent lavishly" to safeguard its own proprietary development server, the PS DevNetwork, "but recklessly declined to provide adequate protections for its customers' personal information," citing a confidential witness who was an employee with Sony Computer Entertainment America from 2006 to 2008, and with SOE for five months in 2010, according to the suit. Sony also knew that its network security was weak "because it had experienced hackings of sensitive data on a smaller scale prior to the massive security breach," the suit claimed. Another confidential witness, a platform support engineer for SOE from 2006 till March 2011, claimed that "Sony's technicians only installed firewalls on an ad-hoc [emphasis in original] basis after they determined that a particular user was attempting to gain unauthorized access to the network." The suit claimed that the practice fell short of widely-adopted security standards. And another confidential witness, a senior project coordinator for SCEA from June 2000 till March 2011, "expressed an utter lack of surprise" about the breach, "since he and others at Sony knew it had been breached on prior occasions as well," the complaint claims. The suit names Sony Corporation of America, Sony Computer Entertainment America, Sony Pictures Entertainment and Sony Network Entertainment International as defendants. In April, hackers attacked PSN and obtained sensitive personal information from 77 million user accounts. The company said it "could not rule out the possibility" that credit card information had been compromised, and took down the service on April 20. Soon after, the company said nearly 25 million SOE game accounts were compromised, and shut down SOE's Station.com online PC games service. Sony eventually restored all online game services in most territories by early June, and vowed that it had beefed up its network security. The suit was filed this week on behalf of a larger class by New York residents Felix Cortorreal, Jacques Daoud Jr. and Jimmy Cortorreal. The plaintiffs are seeking actual damages in the amount paid for the equipment and network, and "appropriate restitution" for class members, among other forms of relief. Gamasutra has contacted SCEA for comment.