Sony Pictures faces lawsuits following security breach
Four suits say Sony should have expected and prepared for a cyberattack
Previous security breaches had occurred as early as April 2011, the suits say
Medical records, tax forms and Social Security numbers were put on the Internet
Former employees of Sony Pictures Entertainment have filed four lawsuits against the company following a massive security breach.
The suits alleged Sony was negligent because it didn’t prepare for a massive cyberattack despite warnings and previous security breaches. The two other suits were filed but were not available for inspection Saturday.
Michael Corona and Christina Mathis’s complaint put the situation in dramatic terms:
“An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees: Their most sensitive data including over 47,000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals.”
The suits were filed December 15-19.
Four are class-action lawsuits, meaning the plaintiffs want the suits to include all other former and current employees affected by the breach, not just themselves. The plaintiffs contend that stored information about former employees was compromised.
How many people would be included in possible class-action lawsuits is unknown.
A complaint by Michael Levine and Felix Lionel said information about 47,000 current and former employees and their family members had been posted online recently because of hacking linked to North Korea.
Another complaint estimated 15,000 current and former employees were affected but said the number could only be determined by company records.
Sony Pictures did not respond to a CNN request for a comment Saturday; it declined to comment in a Friday Washington Post story about the lawsuits.
The complaint filed by Levine and Lionel says employees and family members “will have to remain vigilant for the rest of their lives to combat potential identity theft. …” Despite efforts to scrub the personal records from the Internet, the information will be “forever recoverable by anyone who wishes to find them.”
The information “contains the most intimate details of personal and professional lives including … medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories,” the complaint says.
Suits: Previous hacks occurred
The former employees say Sony should have known the system had a problem because of previous hacks.
A breach occurred in January 2011 when hackers made the PlayStation game Modern Warfare 2 unplayable through the PlayStation network, the complaint by Corona and Mathis says.
In April 2011, hackers stole millions of user accounts from the PlayStation video game network, their complaint says.
The hacker group Anonymous warned Sony of that impending breach weeks in advance, the complaint says, but Sony didn’t implement safeguards to protect the system.
The company settled a class-action lawsuit over the April 2011 breach for $15 million in games, online currency and identity theft reimbursement, the complaint says.
Hackers struck again in August 2014, taking down the PlayStation network and Sony Entertainment Network, the complaint says.
Sony has received warnings more recently, according to a complaint by Susan Dukow and Yvonne Yaconelli.
North Korea issued warning
North Korea’s ambassador to the United Nations warned Sony that release of its movie “The Interview,” in which Americans try to assassinate North Korea’s leader Kim Jong Un, was tantamount to “an act of war” and threatened a “decisive and merciless counter measure,” according to their complaint.
U.S. seeks China’s help against North Korean cyberattacks
Sony executives knew that producing a movie about an attempt on the life of an existing world leader “would cause a backlash,” the complaint says.
The chronology of the most recent hacking is described in all of the lawsuits.
A group of hackers called the Guardians of Peace took over Sony’s network on November 24.
The hackers displayed their own messages and skeleton image and the words “Hacked by #GOP,” said Dukow and Yaconelli’s complaint.
On November 27, five Sony films, including four that had not been released, were shared online.
On December 1, the pre-bonus salaries of the top 17 Sony executives were leaked along with files showing the salaries of 6,000 current and former employees, the suits contend.
On December 3, files showing passports and visas of cast and crew members were put online, along with film budgets and confidential contracts.
On December 2 and 5, company leaders acknowledged the personal information was compromised, but said they weren’t sure how seriously, the Corona-Mathis complaint said.
‘Your family will be in danger’
Sony announced Wednesday that “The Interview” would not be shown in theaters.
Two of the four lawsuits ask that Sony be ordered to provide five years of credit monitoring, identity theft insurance and other services. One of the suits seeks $1,000 for each violation of a California law that requires companies to keep medical information secure. All four suits seek unspecified damages and attorney fees.
Republicans to theaters: Don’t be bullied, show ‘The Interview’
The FBI says that North Korea is responsible for the cyberattack. An FBI investigation linked the malware, infrastructure and techniques used by the Guardians of Peace in the Sony attack to previous North Korean cyberattacks.
The hackers broke into Sony’s servers, published private emails and information, and threatened to attack movie theaters screening “The Interview,” a comedy film about an assassination plot on North Korea’s leader. North Korea denies being responsible.
On December 5, employees received an email from the Guardians of Peace saying they needed to support the group by signing their name to an online document, the Corona-Mathis complaint said. “If you don’t not only you but your family will be in danger,” the email said.
Three suits were filed in U.S. District Court in California and one in Los Angeles County Superior Court. No hearing dates were listed.
CNN’s Kristina Sgueglia contributed to this report.