The nightmare of the massive hacking of Sony Pictures' email system in November of last year is still continuing, and many current and former employees are claiming that the fallout they all feared would happen has already begun — namely, that their personal information that was accessed in the breach is already being abused.
According to a lawsuit filed by a group of employees, their personal information is being used to rack up thousands of dollars in unauthorized credit card charges, as well as to open fraudulent new accounts in their names. Many also claim their personal information is being posted for sale on black-market websites, reports Deadline.com and The Hollywood Reporter.
All of this spells bad news for Sony Pictures Entertainment (SPE), who just last month got a judge to dismiss a similar lawsuit filed by employees against the company for neglecting to safeguard their personal information, on the grounds that no employee could prove any damage as a result of the hack.
According to the Hollywood Reporter and Fortune Magazine, the crux of the lawsuit claims negligence on the part of SPE, stating the company was more concerned with "cost-cutting" than with implementing basic cyber security measures that would have protected the employees' personal information.
"[SPE] devoted meager resources to data security, assigning only 11 employees to its information security team, and repeatedly ignored warnings about security gaps and violations," Hollywood Reporter quotes from the lawsuit.
One of the plaintiffs' lawyers told Deadline.com, “SPE knew its data security was inadequate. SPE and its sister companies experienced multiple prior data breaches that exposed significant weaknesses in the Sony companies' security measures, including the 2011 breach of the Sony PlayStation Network that compromised information from over 75 million customer accounts, and which experts attributed to an unsophisticated method of hacking that would not have been successful if the most basic security measures had been in place.”
Sony representatives denied all these allegations in Fortune Magazine, saying “any suggestion Sony Pictures Entertainment should have been able to defend itself against this attack is deeply flawed."
The Hollywood Reporter estimates a class-action win for the plaintiffs could mean damages of as much as $50 million for SPE, which would entitle each employee named in the suit who can prove damages from the hack — which could be as many as 10,000 employees — to a modest cash payout plus just over $600 to pay for two years' worth of identity theft protection and monitoring.
Two experts hired by the plaintiffs — Larry Ponemon, a cyber expert, and Dr. Henry Fishkind, an economist — told Deadline.com they think that isn't going to cut it.
“Dr. Ponemon has explained that all class members will be subjected to heightened risk of identity fraud going forward for years to come, and the plaintiffs' economist, Dr. Henry Fishkind, has provided an appropriate and common model for measuring the reasonable costs (discounted to present value) that class members will incur to monitor and protect themselves from identity,” stated documents filed in June for the lawsuit.
A hearing is scheduled for mid-September, when a judge will decide whether the plaintiffs have met the necessary criteria to qualify for class-action status.