Euro Security Watch with Mathew J. Schwartz

Breach Response , Data Breach , Litigation

Sony Breach: No 007 to the Rescue Studio Reaches $8 Million Settlement, But Will It Learn From Mistakes?
Sony Breach: No 007 to the Rescue

The escapades of a purported gang of North Korean hackers may never rival the latest "Star Wars" film or James Bond installment for sheer cinematic drawing power. But for the information security set, the 2014 Sony Pictures Entertainment data breach at the hands of the Guardians of Peace is a movie blockbuster just waiting to be filmed.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

Let's get that script green-lit now, as the whole sorry Sony saga finally appears to be nearing its end, thanks to the studio having reached a settlement agreement for current and former employees affected by the breach. The agreement is worth up to $4.5 million, with a separate $3.5 million guaranteed for plaintiffs' attorneys, plus an additional $24,000 for each of the nine former employees who are serving as the "class representatives" for the lawsuit.

"It remains unclear how easily breach victims will be able to document and recover from Sony any losses." 

The $8 million settlement agreement, which must still be approved by U.S. District Judge R. Gary Klausner, is the end result of seven lawsuits filed by 10 former Sony employees against the firm, of which six were dismissed, leaving this amended class action lawsuit, known as "Corona v. Sony Pictures Entertainment Inc."

But it remains unclear how easily breach victims will be able to document and recover from Sony any losses relating to identity theft or expenses related to post-breach preventive measures that they took.

The agreement comes after Sony attempted to face down a lawsuit filed by a group of former employees, and failed. Those employees had alleged in court documents that "Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years." The lawsuit also asserted that that 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees - some of whom had not worked for the studio since 1955 - had been stolen by attackers, and that some of that PII was being bought and sold on cybercrime forums.

The breach also resulted in the leak of unreleased movies, the script for the upcoming Daniel Craig 007 film "Spectre," a slew of embarrassing studio emails that led to the resignation of Sony Pictures co-chair Amy Pascal as well as a damaging wiper malware attack that bricked numerous Sony PCs (see Sony Pictures Cyber-Attack Timeline).

Sony moved for the class-action lawsuit to be dismissed, but suffered a setback in June when Judge Klausner instead ruled that some parts of it could proceed (see Will Sony Settle Cyber-Attack Lawsuit?).

Based on past data-breach lawsuits, such a ruling typically results in the leadership of the breached organization opting to settle. In part, that's because no company seems to want to risk having a breach-related class-action lawsuit go to a jury trial, which could result in outsize damages being awarded to breach victims and set a precedent that works against breached organizations in the future (see Why So Many Data Breach Lawsuits Fail).

Sony's Breach-Victim Fund: $4 Million

Following that now well-established data breach lawsuit script, Sony in September unsurprisingly announced that it would settle the case (see Sony Agrees To Settle Cyber-Attack Lawsuit).

Under the terms of the settlement agreement that was reached this week, Sony has agreed to:

  • Reimburse documented cases of identity theft or misuse, up to $10,000 per claimant, from a fund worth $2.5 million.
  • Reimburse preventive measures breach victims took, up to $1,000 per claimant, from a $2 million fund.
  • Extend the prepaid identity theft monitoring services being offered via AllClear through to Dec. 31, 2017, for all breach victims.

But to obtain any identity theft reimbursement, a claimant will have to prove that any PII loss "is reasonably attributable to the SPE cyberattack," as well as document that the breach victim "has sought and been denied reimbursement through the normal course," including the AllClear identity theft service, which offers breach insurance that will reimburse some types of losses and expenses. Any post-breach preventative measures - including paying for credit monitoring, freezing or unfreezing of credit and obtaining credit reports - must also be documented, except for the ability to claim up to $50 in "lost time."

As is typical with such settlements, Sony has also denied any wrongdoing.

Will Studio Learn?

But is the offer of up to $10,000 for identity theft losses and $1,000 for post-breach prevention expenses for each breach victim fair, in light of Sony allegedly skimping on information security (see 6 Sony Breach Lessons We Must Learn)?

For comparison purposes, the supposed source of the Guardians of Peace ire was "The Interview," which went on to earn $40 million in online and on-demand sales less than a month after its off-again, on-again release (see Sony: Controversial Film Breaks Record). Meanwhile, the studio's upcoming James Bond film "Spectre" - which is already getting glowing reviews - follows in the wake of the similarly lauded "Skyfall," which took in more than $1 billion at the box office.

The Guardian notes that the new 007 movie rails against "illicit hacking," arguing instead for the use of superhuman secret agents. As Sony's breach demonstrates, however, the studio has no such protectors in place for its real-world information security concerns. But whether it has learned from the breach - and the more than $35 million it already spent on related cleanup efforts, as of March - remains to be seen.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network