Employee Data Breach The Worst Part Of Sony Hack

The Sony hack has taught us so much. It’s taught us to send corporate email as if everyone is reading those emails. It’s taught us that people in Hollywood are just as mean as people in any other industry (and potentially racist). And it’s taught us that Channing Tatum is really enthusiastic about beating “TED” at the box office.

The one lesson that’s the hardest to stomach is that you may be doing everything possible to protect yourself online, but your employer may be laissez faire about the whole thing. This is the position that over 6,500 current (and many former) employees of Sony find themselves in today.

As Gizmodo’s Brian Barnett wrote:

“The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.”

And now two of those employees have taken action — class action to be precise. Christina Mathis and Michael Corona have filed a federal court complaint against the movie studio, alleging that the company did not take enough precautions to keep employee and employee family data safe.

The complaint references tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk. It takes Sony to task for using DDOS attacks to protect its leaked films and not its employee data. And it cites several instances of Sony failing to adequately inform former employees of the situation, referring to the free credit-card monitoring that Sony offered after the December 2 hack as insufficient.

As Kashmir Hill reported, there were only 11 people on the Sony information security team at the time of the hack:

“The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.

Hackers found a file with Sony usernames and passwords called “Usernames&Passwords.”

Sony Director of Information Security Jason Spaltro even gave an interview in 2007 whose whole point was to revel in Sony’s security loopholes: “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he said at the time.

This hack is estimated to cost Sony $100 million after all is said and done. The last one cost the company a cool $171 million.

The plaintiffs are looking to go to trial by jury. Perhaps a messy, expensive public trial will cause other obtuse companies to take infosec heed?

Update: And boom, a second lawsuit.

Sony Pictures Entertainment Suit