An Essex County resident yesterday filed a class-action lawsuit against Sony over the theft of some 100 million PlayStation Network user records - and the loss of access to the gaming network.
In her lawsuit, filed yesterday in US District Court in Boston, Dawn Thompson says she is seeking in excess of $5 million - plus lawyers' fees - for herself and fellow gamers. Thompson charges the company negligently disregarded basic security measures, lied to subscribers and is depriving customers of access to the network that they paid for.
Sony shut PSN last month after discovering it had been hacked. Thompson, who says she bought a PlayStation 3 and PSN access in 2009, charges:
Plaintiff is informed and believes that Defendants have been aware for a substantial period of time that PSN was prone to catastrophic loss of data from a security breach. Nevertheless, Defendants failed to warn its customers of the problem or tried to prevent them from suffering system suspension from security breaches and data losses. Defendants have failed to effectively remedy the problems and defects inherent in the PSN. Unwilling to admit fault, SONY sat silently while consumers purchased defective PlayStation consoles and PSN service without warning customers about the risks inherent in purchasing and relying upon SONYâ€™s data security.
The suit alleges:
SONY was, at all times relevant herein, in violation of the Payment Card Industry Data Security Standard by, including (without limitation), the following conduct: improperly storing and retaining credit card transaction and customer data in an unencrypted, unsecured, and unauthorized manner, failing to all reasonable steps to destroy, or arrange for the destruction of a customerâ€™s addresses to and from its computer systems; or properly perform dynamic packet filtering; failing to properly restrict access to its computers; failing to properly protect stored data; failing to encrypt cardholder data and other sensitive information; failing to properly implement and update adequate anti-virus and anti-spyware software that would properly prevent unauthorized data transmissions caused by viruses, executables or scripts, from its servers or computer systems; failing to track and monitor all access to network resources and cardholder data; failing to regularly test security systems and processes or maintain an adequate policy that addresses information security, or to run vulnerability scans.