Sony is now the target of a lawsuit over negligence in protecting users' data. This isn't surprising, considering Sony only just admitted that users' personal data may have been compromised in the recent PlayStation Network hack.
Kristopher Johns of Birmingham, Alabama, filed the negligence suit on Wednesday in the U.S. District Court for the Northern District of California.
On Tuesday, the company said a hacker broke into the PSN and Qriocity servers between April 17 and 19 and potentially gained access to players' personal information, including, possibly, stored credit card information. The company hopes to begin restoring services within a week.
Sony waited too long?
In the suit, Johns says the company waited too long in informing its more than 77 million users of the breach. "[Sony] unduly delayed or failed to inform in a timely fashion the appropriate entities and consumers whose data was compromised of their vulnerabilities and exposure to credit card (or other) fraud," reads the filing. It goes on to say that this delay may have exacerbated the problem.
Security experts are already calling this one of the largest data breaches ever, and the scope of information in the hands of attackers is worrisome. "This provides potential ammunition for almost any type of attack," Dr. Paul Judge, president of security firm Barracuda Networks, told USA Today on Wednesday.
Sony claimed, in a blog post, that it only recently found out about the scope of the issue.
PSN data breach was discovered Monday
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," senior director of corporate communications Patrick Seybold said. "It was necessary to conduct several days of forensic analysis, and it took our experts until [Monday] to understand the scope of the breach."
Johns is asking for monetary damages and free credit report monitoring for all those involved, as well class action status for his suit.
Getting any recourse could be tough legally though, as Sony stuck a clause within its terms of service that absolves it of any culpability in the event of data loss. "We exclude all liability for loss of data or unauthorized access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network," it reads.
Will that be enough to protect the Japanese company in the event it is found negligent? That's not clear--but what is clear is that the legal morass for Sony when it comes to this debacle has apparently only just begun.