Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach. Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems. The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen. The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.
The hacking of Sony should be a wake-up call to all companies. Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions. The list of Sony’s failings are many. Data banks were not properly segregated. The company was particularly susceptible to phishing attacks. It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information. These are just a few of Sony’s failings.
The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information. It is also a warning to us all to limit, as much as possible, the places that do hold that information. Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number. We all should resist providing our Social Security numbers to companies that request it unless they have legitimate need for it.