A lawsuit being leveled against Sony relating to the recent breach activity alleges they skimped on security experts, laying off a batch of professionals prior to the events. The suit, seeking class action status, is being brought by Felix Cortorreal, Jimmy Cortorreal, and Jacques Daoud Jr., who claim they were directly affected by the data breach, along with other customers.
The claims center around Sony allegedly failing to take proper steps to protect customer data. The court documents claim “Sony knew that its inadequate security systems placed it at increased risk for the attack, which directly and proximately caused the theft of its Customers’ Personal Information and a month-long interruption of the PlayStation and SPE Networks.” Continuing, “moreover, just two weeks before the April breach, Sony laid off a substantial percentage of its Sony Online Entertainment workforce, including a number of employees in the Network Operations Centre, which, according to Confidential Witness 2, is the group that is responsible for preparing for and responding to security breaches, and who ostensibly has the skills to bring the Network’s security technology up-to-date.”
Interestingly, the suit documents allege Sony had a series of smaller attacks previously, and repeated warnings of security flaws prior to the main security breach. Since this network has more than 77 million registered users, it would seem the budget for security staff would’ve been near top priority, even as an insurance policy against potential brand damage, but apparently Sony, sometime during the decision process, may have viewed the costs as unjustified.
As budgets continue to be very cost-conscious in today’s network infrastructures, it’s tempting to cut as closely as possible to maintain a leaner workforce. While this process may seem like a financial imperative, there is a point of diminishing return, where a level of security protection is increasingly difficult to maintain. In a recent blog post, I wrote about the dollar cost of a data breach. This also has to enter into the equation; what is the cost in terms of brand damage if you get hacked? Not a simple equation, with all the variables involved in your unique organization. Still, expect customers to be more closely attuned to an organization’s stance on security, especially as they begin to feel the impact on their personal information. After all, no business want to find themselves in the particular spotlight Sony finds itself in recently, lawsuit or not.
Author Cameron Camp, ESET