Data Loss , Litigation

Sony Agrees To Settle Cyber-Attack Lawsuit

Studio Reaches Deal with Former Employees Over "The Interview" Breach
Sony Agrees To Settle Cyber-Attack Lawsuit

Sony Pictures Entertainment has reached a tentative deal to settle a combined lawsuit, seeking class-action status, filed by former employees in the wake of the massive 2014 hack attack against it, and accompanying data breach.

See Also: 12 Top Cloud Threats of 2016

"On September 1, 2015, plaintiffs and SPE reached an agreement in principle to settle all of the claims of the putative class against SPE, subject to final documentation, which will be submitted for the court's approval," says a Sept. 2 court filing by the plaintiffs' lawyers. Details of the tentative agreement were first reported by Hollywood news site Deadline.

A motion filed by former Sony employees Ella Carline Archibeque, Marcela Bailey, Michael Corona, Joshua Forster, Michael Levine, Christina Mathis, Steven Shapiro and Geoffrey Springer says that they will seek preliminary approval of the agreement by October 19. "We believe the proposed settlement is a favorable resolution of the claims asserted by the plaintiffs," attorney Daniel C. Girard wrote in the filing.

Following the hack attack against Sony, which came to light on Nov. 24, 2014, at least 10 former Sony employees - starting on Dec. 15, 2014 - began filing breach-related lawsuits against the company on behalf of 50,000 current and former Sony employees. But no details about the proposed settlement have yet been made public, and it is not clear how many of the 50,000 current and former employees it might cover. Both Girard and Sony declined to comment on related questions.

Credit for the Sony data breach - and damaging wiper malware attack that bricked thousands of Sony PCs - was claimed by a group calling itself G.O.P., which came to claim that the attacks were launched in retaliation for the Sony Pictures film "The Interview" and its fictional portrayal of the death of North Korean leader Kim Jong-un. The FBI took the unusual step of attributing the Sony hack attack to "North Korea actors." But multiple information security experts have disputed that attribution (see FBI's Sony Attribution: Doubts Continue).

Breach Impact

The lawsuit filed against Sony asserts that 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees - some of whom had not worked for the studio since 1955 - were stolen by attackers. The lawsuit also reported that some of the breach victims' PII was already being traded on black-market websites and being used by identity thieves, and cited a September 2014 audit by PricewatershouseCoopers, which had warned that Sony's information security and monitoring practices fell below "prudent industry standards."

The leaked Sony information also included embarrassing emails between Sony Pictures co-chair Amy Pascal and producer Scott Rudin, in which they exchanged racially charged communications about President Obama (see Sony Pictures Cyber-Attack Timeline). Pascal resigned from her top-level executive position with Sony in February, reportedly in exchange for a four-year movie production contract with the studio.

Sony Has Been Battling Lawsuit

Sony has been fighting the class-action lawsuit, while suffering notable setbacks along the way. In June, U.S. District Judge R. Gary Klausner granted Sony's request to dismiss allegations of breach of contract, and that Sony failed to notify breach victims in a timely manner. But he didn't grant Sony's request to dismiss other parts of the lawsuit, thus allowing it to proceed (see Will Sony Settle Cyber-Attack Lawsuit?).

That included plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked," and that employees had been required to share their PII - including Social Security numbers, driver's licenses and passport numbers, and medical information - with Sony to receive benefits. Judge Klausner said that had created a "special relationship" between Sony and its employees that could make the studio financially liable for having lost control of that data.

In August, Sony filed a motion opposing the plaintiffs' request that their lawsuit be granted class certification. A related hearing was scheduled for September 14.

But if the proposed agreement is approved, Sony could have the data breach lawsuits filed against it settled before the one-year anniversary of the attack against it.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network