The holiday hits keep coming. A fourth class-action lawsuit was filed in federal court in Los Angeles last week against Sony Pictures Entertainment. This suit was brought by two former IT employees — Michael Levine, a former Sony Pictures Imageworks technical director and Lionel Felix, a former Sony Pictures director of technology — who claim that the company’s negligence resulted in the exposure of the personal information of 47,000 current and former employees.
The suit claims that the company failed to take reasonable steps to protect employee data from hacking and other attacks. The suit recalled the company’s hack of 2011.
“Only three years ago, Defendant incurred one of the largest data breaches in history, in which 77 million customer records wer3 compromised. In the wake of that data breach, Defendant conceded that a ‘known vulnerability’ was exploited, and subsequent analysis from the information technology community confirmed that Defendant had failed to put into place even the most rudimentary security protocols.”
Michael Sobol and RoseMarie Maliekel of Lieff Cabraser Heimann & Bernstein represent the plaintiffs. Sobol stated on the firm’s website:
“The employee data maintained by Sony that has been hacked contains the most intimate details of the personal and professional lives of thousands of current and former Sony employees and their families. These employees are now vulnerable to cyber criminals who may use their Social Security Numbers, birth dates, medical records, and personnel data.”
From the Washington Post, according to some, it may be too early to blame the company. Per David Vladeck, a former Federal Trade Commission official and a Georgetown law professor.
“The real question is, was this Sony’s fault in the sense that it had lax security? I think it’s too early to tell. There’s a great deal of forensic work that goes into examining a data breach of this magnitude.”
Kevin Mandia, the head of Mandiant, the security firm working with Sony in investigating the incident, would most likely agree with Vladeck’s statement. Mandia recently called the attack “unprecedented,” “unparalleled” and one that neither Sony nor other companies could have been adequately prepared for. From Recode.net:
“This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.
“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release
confidential information to the public. The bottom line is that this was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
So, what’s next for the company? Perhaps, defending itself against harsh criticism and wishing for a Hollywood ending.