A group of former and current Sony Pictures employees are suing the company for failing to protect their data, according to a complaint filed today in California District Court. (A second suit has also been filed according to The Hollywood Reporter, alleging that the choice to name North Korea put employees in danger.) The group is led by a former employee named Michael Corona, who worked for Sony between 2004 and 2007, and is currently spending $700 a year for identity theft protection. Sony has reportedly offered to provide identity theft monitoring services to current employees, but many previous employees like Corona have been affected by the leak and left to fend for themselves.
"An epic nightmare, much better suited to a cinematic thriller than to real life."
The complaint opens dramatically, describing the hack as, "an epic nightmare, much better suited to a cinematic thriller than to real life...unfolding in slow motion for Sony's current and former employees." The complaint alleges that Sony failed to adequately secure its systems despite years of warning signs, making a "business decision to accept the risk." Once the hack was under way, the complaint says Sony didn't do enough to protect employe information after the fact, despite multiple warnings from attackers.
The case focuses particularly on the leak of 47,000 social security numbers from current and former employees, which occurred more than a week after the initial attack. It's unclear when the affected employees received credit monitoring services to help mitigate the effects of the leak, although Sony should have had ample warning that such a leak was possible. In a strange twist, the complaint seems to rely heavily on other leaked documents. Leaked emails help establish that executives were aware of the vulnerabilities in the computer system, and chose not to improve it after previous attacks. It's unclear whether these documents will ultimately be seen as admissible in court.
12/16 5:39pm ET: Updated to include news of the second suit.