A U.S. class action lawsuit has been filed over a Sony PlayStation Network data breach that may have let thieves steal the personal information of more than 75 million users worldwide.
"We brought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers," lawyer Ira Rothken said in a statement announcing the lawsuit Wednesday.
Rothken's San Francisco-based law firm filed the suit Wednesday in the U.S. district court for the northern district of California on behalf of Birmingham, Ala., resident Kristopher Johns and other PlayStation Network and Qriocity subscribers who suffered loss of service or breach of security on or about April 17 and 19.
Sony shut down both services on April 20, after detecting an "external intrusion" the day before. Late Tuesday afternoon, six days after the shutdown, the company announced that it believed an unauthorized person had obtained information from user accounts that included names, addresses, email addresses, birthdates, logins, passwords, and possibly billing information and credit card data.
The lawsuit alleges that Sony, based on available information, failed to use enough security such as encryption and firewalls to protect users' sensitive data and failed to "provide prompt and adequate warnings of security breaches."
The complaint also alleges that some subscribers have become victims of credit card fraud that they believe is linked to the data breach.
The lawsuit is seeking financial compensation for data loss and the loss of the use of the network. It also wants Sony to cover credit monitoring for affected subscribers.
The PlayStation Network allows users to play online games, surf the web, chat with friends and download games and other content from the PlayStation store. It is free to join, but users must pay for some content.
Qriocity streams movies on demand to compatible Sony devices such as HDTVs and Blu-ray players for a monthly fee.
Credit card data encrypted: Sony
Late Wednesday, Sony posted an updated FAQ on its PlayStation blog clarifying that users' credit card information was encrypted and there was no evidence that it had been taken. However, it said the possibility could not be ruled out.
Other personal information was not encrypted but was "behind a very sophisticated security system that was breached in a malicious attack," the blog added.
The company estimated that some of its services would be restored by May 3, once it is confident that the network is secure.
At that point, it recommends that users log on and change their password.
"Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well," it said.
Sony said it continues to work with law enforcement and a technology security firm to conduct a complete investigation.
It added that it is also enhancing and strengthening its network.