Sony faces legal action over attack on PlayStation network

A lawsuit has been filed in the US against Sony over the hack of its PlayStation Network.

The legal action by a PSN user claims Sony did not do enough to protect the private data of its customers.

It also asks for compensation and for Sony to pay for credit card monitoring to spot if stolen details are being used fraudulently.

At the same time, the attorney generals for four US states have begun looking into the attack.

The scale of the security breach suffered by the PlayStation Network (PSN) became apparent on 27 April.

In a statement posted on the official PlayStation blog, the company said user account information for the PlayStation Network and Qriocity services had been compromised following an "illegal and unauthorized intrusion into our network".

The company posted an apology for the security breach and ongoing disruption to the PSN and Qriocity services.

Personal information including name, address, e-mail address, login details for PSN and Qriocity was taken. Also, said Sony, although credit card data was encrypted and there was no evidence it was stolen, the theft of the data could not be ruled out.

The blog posting warned users to look out for attempted telephone and e-mail scams that use stolen information to lend them credibility. About 77 million people are thought to have been affected by the attack.

Technology news site Ars Technica said it had been contacted by many readers who said the credit card they used for the PSN had been used fraudulently recently.

Ars Technica reporter Ben Kuchera said it was hard to confirm if the problems were related to the PSN attack, adding: "We may be dealing with a coincidence in timing."

On 27 April, a lawsuit was filed in California on behalf of Alabama resident Kristopher Johns, accusing Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users".

Law firm Rothken is seeking damages for its client.

In a separate move, attorneys general from Iowa, Connecticut, Florida and Massachusetts said they had started investigations into the PSN hack.

The UK Information Commissioner Christopher Graham, is also considering taking action over the case.

Speaking on BBC Radio 4's "You and Yours" programme, he said it looked like "a very significant breach of data protection law".

The Information Commissioner's Office (ICO) has the power to impose fines of up to £500,000.

His ability to take action ultimately depended on whether PSN data was stored in the UK - something he was still trying to establish.

The theft of so much detailed customer data would be seen as a "public relations disaster", according to Graham Cluley, senior technology consultant at security firm Sophos.

"This is a big one," he told BBC News.

"The PlayStation Network is a real consumer product. It is in lots of homes all over the world.

"The impact of this could be much greater than your typical internet hack."

Mr Cluley warned that, even without credit card details, the information taken was enough to help criminals carry out further attacks on other services.

"Some people will use the same passwords on other sites. If I was a hacker right now, I would be taking those e-mail addresses and trying those passwords," he said.

PlayStation users got their first indication that something was wrong with the service when it became unavailable on Wednesday 20 April.

In the following days, Sony issued three brief statements asking users to be patient while it investigated an "external intrusion", or hack.

The Sony PlayStation Network remains unavailable to users. The company has not said when full service will be restored.

On its blog it said it might be a week or more before some elements returned. However, it added, the system would not be turned back on until it was happy it was secure.

As part of its efforts to beef up security and ensure the network is not compromised again, Sony said it was going to move the PSN infrastructure to a new more secure location.