Sony Pictures has been hit by a second lawsuit alleging it didn't do enough to safeguard the personal information of employees that was lost in a major hack in late November.
Central to the lawsuit, which was filed at the U.S. District Court for the Central District of California, is the assertion that "cybercriminals were able to perpetrate a breach of this depth and scope because Sony Pictures Entertainment failed to maintain reasonable and adequate security measures to protect the employees' information from access and disclosure."
It follows a similar lawsuit on Monday filed in the same court by two former employees.
Like the previous lawsuit, Wednesday's relies heavily on media reports in its factual allegations. One such example is the allegation that hackers were able to get away with 100 terabytes of data, something previously claimed but never proven. To date, several dozen gigabytes of data have been released onto the Internet — a fraction of the amount.
Whatever the actual amount of data, the personal information leaked is very real.
In a letter sent to employees last week, Sony said the data included employee names, addresses, Social Security numbers, driver's license numbers, passport numbers, bank account information, credit card information for corporate travel, computer user names and passwords, salary details and "other employment related information."
It also could have included names, addresses, Social Security numbers and medical claims appeals information for staff and their family members that used Sony health plans. This latter set of data might have included medical claim codes, giving hackers an insight into medical conditions of staff and their families.
The latest lawsuit says that Sony first reached out to employees on the evening of Dec. 2, telling them "that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents." It also told employees "to assume that information about [them] in the possession of the company might be in [the hackers'] possession."
The suit was filed by two former employees. Joshua Forster was employed by Sony Pictures between 2013 and February 2014 and Ella Archibeque worked at Sony Pictures from 2002 to 2009.
It seeks class action status, which if approved by the court, would mean other affected Sony employees could sign on to the lawsuit.
Sign up for Computerworld eNewsletters.