The first class-action lawsuit has been filed over the breach of personal and possibly credit card data from Sony's PlayStation Network.

According to a statement on the website of the Rothken Law Firm, the complaint alleges Sony "failed to take reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

The suit was started by Kristopher Johns of Alabama, according to the complaint, which is available online.

The complaint also claims Sony did not inform PSN users of the breach and its ramifications in a timely fashion.

The lawsuit seeks "monetary compensation for the data loss and loss of use of the Sony PlayStation Network, credit monitoring, and other relief," says the Rothken statement.

Game Hunters has reached out to Sony for a response. The company did reveal in a post on the official PlayStation blog that credit card data was encrypted, but they are still unsure of whether it was taken in the breach.

Sony released more information about its security measures in a blog post yesterday answering frequently asked questions the company has received since a data breach crippled its PlayStation Network.

The company said that all personal data was protected and credit card data was encrypted. Sony is also working on a software update that will require all users to reset their passwords once the network is restored.

Sony has said repeatedly that it has no proof that credit card data was actually stolen, though it is advising users to be on the lookout for mysterious charges just in case.

However, Ars Technica has reported that several of its readers have reported fraudulent credit card charges that coincide with the data breach. There’s no clear evidence that the fraud is linked to Sony’s breach, but at least one Ars reader said that the card that had the false charges was used for few things apart from purchases on the PSN.

Sony did not immediately respond to a request for comment on the Ars Technica report.

The company is facing more official inquiries as well, as lawmakers and regulatory agencies around the world ask for more information about the breach.

Bloomberg reported that, in addition to inquiries from Connecticut, the U.K. and Ireland, an Alabama man has sued Sony. Kristopher Johns is seeking reimbursement for any losses related to his credit card data being stolen and refunds for defective services.

According to unverified reports, hackers have stolen about 2.2 million credit cards from Sony's PlayStation Network.

Despite Sony's claim yesterday that the database of credit card information was encrypted, security researchers say they've seen forum discussions where the hackers brag about having credit card numbers in their possession, and are threatening to sell the information for up to $100,000, the New York Times reports.

"Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," Mathew Solnik, a security consultant with iSEC Partners, told the New York Times, citing discussions in hacker forums.

Security researcher Kevin Stevens of Trend Micro tweeted, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date."

However in a later tweet Stevens said he had not seen the forum discussions himself and called responses to his tweet "a bunch of FUD," or "fear, uncertainty, and doubt": "I posted up what I saw to warn people, not to incite the masses to create FUD."

As expected, PSN users have taken to online communities to report fraudulent charges on their linked credit card accounts.
"Just got called by my credit card company, been charged 2 grand for some Paypal account in China...nice one Sony. At least I get it back #PSN," one user tweeted.

"Thanks #PSN. My CC was phished from your hack and I had $110 charged on my Amex in TX," tweeted another user from Los Angeles, CA.
"I had a call from my credit card company trying to verify a purchase which ended up being fraudulent. Same card I use on Sony's network. They denied [the charge] and issued me a new card," an Ars Technica reader commented. "Might be coincidence, but with the other security gaffes recently, I'm guessing not. Not sure what my opinion of Sony is right now and what my future is with them."

On Tuesday Patrick Seybold, senior director of corporate communications and social media at Sony, said in a blog post that there was no evidence that users' credit card information was stolen. But "out of an abundance of caution" he warned users that their credit card number and expiration date may have been obtained.

Sony's PlayStation Network has been having issues for over a week now, but it was not until Tuesday night that Sony confirmed that hackers had obtained personal information from the network.

Sony said it expects to "restore some services" within a week, or May 4, but lowered expectations on Wednesday with: "We want to be very clear that we will only restore operations when we are confident that the network is secure."

A California-based firm has filed a class-action suit against Sony for failing to adequately protect its customer data, and even members of Congress are urging Sony to provide some answers.

As Sony works to bring its PlayStation Network back online following a security breach last week, more government agencies are seeking answers from the company.

The Law and Regulations Commission of the city of Taipei, Taiwan, yesterday said it sent a letter to Sony asking for a full rundown of how the personal information and possibly credit card data of its PlayStation Network customers was compromised. It is also asking how Sony plans to compensate its customers.

The letter was sent Wednesday and Sony has 10 days to respond before incurring a fine from the commission of between NT$30,000 (U.S. $1,041) and NT$300,000 (U.S. $10,408) for violating the city's consumer protection laws.
Sony warned the more than 75 million customers of its PlayStation Network service on Tuesday that their names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles, were obtained illegally by an "unauthorized person" last week. As a result, it has shut down PSN and Qriocity while it rebuilds the security.

Sony has said it "has no evidence" that credit cards numbers were exposed in the breach. A group of hackers has been bragging on Internet message boards that it is in possession of 2.2 million credit card numbers from Sony that it is attempting to sell back to the company, something a Sony spokesman has denied.

The company admitted that while credit card information was encrypted, names, e-mails, birthdays, passwords, and more were not.

Sony has taken heat from customers for waiting a week before informing them of the breach. But legal authorities have also been pressing Sony for answers on how they have so far handled the situation.

Before Taipei got involved, the UK Information Commissioners Office, the agency responsible for ensuring data protection and privacy, said it is investigating the matter. The country's Data Protection act requires any entity that handles private data of individuals to keep it secure. Serious breaches can incur penalties of up to £500,000 ($833,290), though it could be avoided if Sony agreed to improve its security to bring itself into compliance with the local law.

Canada's Privacy Commission is also undertaking an investigation into the matter, a commission spokeswoman said earlier this week.

U.S. Sen. Richard Blumenthal (D-Conn.) was the first to jump into the legal fray when he promptly sent a letter Tuesday to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft.

Sony has said it contacted law enforcement and is working with a private security firm to investigate the intrusion on its network. Reuters reports the company is working with the FBI.

Sony has also said it plans to compensate customers for the incident, though it hasn't revealed when or how.

The Homeland Security Department, charged with protecting the nation's critical infrastructure, is helping to mitigate the damage from a breach of customer account data on Sony's online video game and entertainment networks that could have affected 77 million users, DHS officials said.

While gaming and music networks may not be considered "critical infrastructure," the data that perpetrators accessed could be used to infiltrate other systems that are critical to people's financial security, according to some computer experts. Stolen passwords or profile information, especially codes that customers have used to register on other websites, can provide hackers with the tools needed to crack into corporate servers or open bank accounts.


The PlayStation site states that the perpetrator obtained the names, addresses and birth dates of registered users, as well as their email addresses, network usernames and login passwords. User profile information, such as answers to password security questions and purchase histories, also may have been taken. The company has no evidence that credit card data was stolen but officials said they cannot rule out the possibility.


US-CERT offers victimized companies guidance on service restoration and risk management, as well as recommendations for improving overall network and control systems security. The team also shares information gleaned from investigations with private sector and government cybersecurity specialists to prevent similar strikes elsewhere.


Patrick Burke, senior vice president in the national security sector at SRA International, said Homeland Security's role in a situation such as Sony's is to help companies exchange information about the nature of their losses with customers, the commercial sector and the government as soon as a breach is discovered. "There can't be a fear of retribution," he said.

"Now that this has happened I think it's time for law enforcement to do their jobs and catch the bad guys," Brito said.


FBI officials are involved in the case. "The FBI is aware of the reports concerning the alleged intrusion into the Sony on line game server and we have been in contact with Sony concerning this matter," FBI Special Agent Darrell Foxworth said in a statement. "We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity."

The Sony incident "is scary but it's not world-ending scary," said Jerry Brito, director of the technology policy program at George Mason University's Mercatus Center. "We have much more to fear from nuclear weapons and real war."

2:18 JST: Yep, 30 day free PS Plus membership, 30 days of free service for Qriocity and Music Unlimited customers and a free gift of some software. Nice gesture.

2:19 JST: We missed a bit there, but it sounds like they're planning to restore full network functionality within the month. Considering it's May 1st, that could be quite a wait.