Sony Agrees To $15 Million Payout, Free PS3 Games In PlayStation Breach Settlement
Sony has agreed to pay $15 million to users of its services impacted by its massive 2011 data breach and nearly monthlong outage of its popular PlayStation Network and Qriocity music service in 2011.
Sony Computer Entertainment America indicated its support of the settlement in documents filed in U.S. District Court of Southern California on June 13. If the federal judge approves the terms, the settlement reached will put to rest 65 class action lawsuits that were filed against Sony following the breach. It would give U.S. residents who held PlayStation Network, Qriocity or Sony Online Entertainment accounts prior to May 15, 2011, eligibility to apply for losses associated with the breach.
Sony agreed to pay out a free PS3 or PSP game, three free PS3 themes or a free three-month subscription to PlayStation Plus. It also agreed to pay out account balances of $2 or more that had been inactive since the intrusions. Account holders of its Qriocity service who did not have a PlayStation Network account would be eligible for a free month of Music Unlimited from the service. Under the agreement, Sony Online Entertainment account holders would get a $4.50 credit.
[Related: eBay Password Breach Prompts Security Best Practices Review ]
In addition Sony agreed to reimburse out-of-pocket charges of up to $2,500 due to actual identity theft associated with the breach. Account holders must provide documentation proving that the theft was caused by the intrusions, according to the settlement.
In January, the plaintiffs in the case were dealt a blow when a federal judge dismissed many of the negligence claims in the lawsuit. As part of the settlement agreement, Sony denies any claims of wrongdoing or that it "violated any laws or did anything wrong," according to the court documents outlining the settlement.
Solution providers say the agreement, if approved, is only a minor inconvenience for Sony, which had estimated the costs associated with the data breach at more than $171 million. The Sony data breach took place in April 2011 and impacted at least 77 million PlayStation account holders, making it one of the largest data breaches at the time. The Sony breach exposed login credentials, names, addresses, phone numbers and email addresses of account holders.The tally of those impacted grew an additional 24.6 million after investigators discovered attackers also penetrated systems associated with Sony Entertainment in another breach. The company offered U.S. PlayStation users one year of identity theft protection, immediately following the breach.
The high-profile and broad, global scope of the Sony data breach took attention off of TJX Corp., which had suffered a serious credit card breach in 2007, impacting 45 million credit and debit card holders. In that instance, criminals gained access to the data by targeting weak Wi-Fi access points at the retailers T.J. Maxx, Marshalls, and other brick-and-mortar locations.
The Sony breach is sometimes a topic of discussion with clients who are concerned about service disruption and data security in the cloud, said Michael Aquino, director of cloud services at Chesapeake, Va.-based Cetan, a managed services provider.
"It's a big deal to have something come down or be brought offline and have the whole world out there to see it," Aquino said. "Service providers that want to remain in business will address the client's risk tolerance and ensure their service level needs are met."
NEXT: Sony Pays Breach Fine, Fights Insurer
Some of the issues with Sony may have been the massive scale and complexity of its IT infrastructure, which can become difficult to maintain and secure, said Jeremy MacBean, director of business development at solution provider IT Weapons in Toronto. Reducing complexity in the network architecture and turning off rarely used system components can increase security by reducing the attack surface that criminals can probe to find a way in, MacBean said.
"The fact that three years later this is still a blemish on [Sony] should give a clear signal to all business owners that protecting your customers' data is more important than ever," MacBean said. "Every business, large and small, is impacted by these issues."
Sony agreed to pay a $400,000 fine associated with the breach that was levied by the U.K. government last year. A report issued by the U.K. Information Commissioner's Office found that Sony failed to adequately protect passwords and ensure that appropriate technical measures were taken against unauthorized or unlawful processing of personal data stored on the network platform. The company also had been in a long-standing dispute with its insurer, Zurich Insurance Group, over a policy dispute regarding the breach.
The Anonymous hacktivist group claimed responsibility for at least part of the Sony breach. A New York man, Xavier Monsegur, believed to have been the ringleader of LulzSec, an Anonymous offshoot, pled guilty to computer hacking conspiracies and other crimes. The FBI said Monsegur and three others formed LulzSec, and hacked into PBS, Sony and video game company Bethesda Softworks.
An FBI memo obtained by Reuters last year detailed the impact of the Anonymous hacktivist collective and indicated their increasing risk to national security.
PUBLISHED JUNE 17, 2014