Sony Pictures’ $8m legal settlement with former employees affected by data leaks that followed a cyber attack on the company in 2014 underlines the need to secure personal data, according to experts.
The lawsuit claimed Sony knew confidential employee data was inadequately protected before the breach, which has been linked to North Korea and the release of the film The Interview.
The attack crippled the company’s network and exposed the personal details of 47,000 celebrities, freelancers, and current and former employees.
The leaked data included social security numbers, addresses, details of salaries and bonuses, performance reviews, criminal background checks and termination records, correspondence about employee medical conditions, and passport and visa information.
Some former employees have claimed to have been victims of identity fraud with credit cards being opened in their names and their personally identifiable information offered for sale online.
Sony reportedly attempted to block the lawsuit by claiming none of the complainants suffered financial loss.
Commentators said that, after Sony’s request for dismissal was denied, the company probably decided that settling the issue out of court would be the better option.
Under the settlement, which reportedly still has to be approved by a judge, Sony will pay up to $10,000 to each claimant for identity theft losses, up to $1,000 each to cover the cost of credit-fraud protection services, and up to $3.5m to cover legal fees.
Sony Pictures chief executive Michael Lynton said the agreement was “an important, positive step forward in putting the cyber attack firmly behind us”.
Some commentators said the settlement should be a warning to all digital businesses that customers, employees and stakeholders can demand more than ever before.
“It is therefore imperative that businesses of all sizes – whether you are a high-profile brand such as Sony Pictures or an emerging SME [small or medium-sized enterprise] – are taking every possible effort to secure customer data as a standard procedure, not as an afterthought in response to a data breach,” said Bill Berutti, president of cloud, datacentre and performance businesses at IT services firm BMC.
“To keep the hackers at bay, digital businesses should consider implementing practical steps to bolster perimeter security,” he said.
According to Berutti, businesses should ensure that they are able to respond as quickly as possible to a known vulnerability, that they secure all internal systems, and that they take steps to secure third-party software, which can often be the gateway to a security incident within the company
“Taking these steps could maintain reputations, prevent significant financial losses, and ultimately help retain a loyal employee and customer base for the future,” he said.