Suit charges Sony laid off security before big hack, spent only protect itself afterward

Lock your own door, but leave customers outside to face wolves? Classy move, Sony

At a big Sony shareholder's meeting in Tokyo earlier this week Sony CEO Sir Howard Stringer blamed the company's dismal recent history of hackage on a community of no-goodniks angry at Sony for having protected its intellectual property with aggressive lawsuits and harassment of customers who cracked its security so they could customize the hardware they bought.

His argument isn't completely unrealistic, but it ignored the six weeks of response time between the first hack and the last – weeks in which most companies would have been able to do something drastic to improve security and halt the humiliation, or fire the people who couldn't make those changes.

It turns out, according to a lawsuit filed in California, that Sony may have gotten things backward by firing the security people before the hackery even started.

The suit, filed by three New Yorkers who were members of the PlayStation network when it was hacked, the account information of 77 million of their peers was stolen and Sony took it offline as the only remaining alternative to protect itself from having the whole site taken over and converted to run Sega instead.

The suit charges Sony laid off "a number" of people in its Network Operations Center in the weeks before the attacks and that after the first attack it spent more money securing its corporate data than doing anything to stop a string of follow-on attacks.

Sony denied the claim through a spokesman who acknowledged there had been layoffs in Sony Online Entertainment to "reduce costs and streamline the company's workforce."

None of those laid off were in security, however, the Sony spokesman said.

The three men who filed the suit -- Felix Cortorreal, Jimmy Cortorreal and Jacques Daoud – said they got their information about the layoffs and Sony's negligence from a confidential internal source.

The claims about layoffs have not been corroborated in the three days since news about the charges broke.

Even without laying off its security staff, Sony knew its security was under par and had invested a lot to create firewalls, a 'debug unit' and IP address blocking to protect the servers used by Sony developers and host to Sony's own gaming code.

It did not encrypt usernames, passwords, email addresses or other personal data of customers, and was slow to do anything that would close the breach, the suit charged.

“While Sony knew that these basic security measures were necessary to protect its proprietary systems, it chose to cut corners when it came to its customers’ personal information and failed to implement similar safeguards on the PlayStation and SPE networks,” according to the 30-page complaint against Sony. Eighteen other suits have been filed against it as well.

The suits will probably be wrapped up into one big class-action suit that will be settled less than a month before it's due to go to trial, with most of the money going to law firms, technical experts and forensic investigators.

The odds of any of the PlaystationNetwork players making a significant chunk of money for the pain of being forced out of their favorite game is remote.

Charging Sony's negligence set them up for fraud and identity theft carries much more heft, but not enough to make individual claims stick out enough to force Sony to cough up any more than the few million that would be routine for a company its size, and which would shrink down to pizza money by the time any of the plaintiffs actually see it.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon