Sony Pictures Ex-Employees Report Being Victim to Identity Fraud

Sony Pictures Entertainment Studios - H 2014
AP Images

Sony Pictures Entertainment Studios - H 2014

One former Sony Pictures employee is reporting that an identity thief charged $3,845 to his credit card. Another ex-employee discovered unauthorized credit cards opened in his name. At least two others have found their personal information available for purchase on black market websites.

These reports of identify theft are notable because after Sony Pictures was hacked, and former employees brought lawsuits over the company's alleged negligence, the film studio responded by asserting there weren't claims of concrete injuries, merely theoretical future harm.

Last month, a federal judge in California allowed the case to proceed anyway.

Now, those suing are detailing their credit troubles in the wake of the hack for the first time and have moved onto the next stage of the case: They have filed papers in a bid to certify a class action against Sony.

The crux of the case is that Sony could have done more to prevent or mitigate an attack that the U.S. government has attributed to the North Korean regime in advance of the release of The Interview. The plaintiffs argue that Sony "devoted meager resources to data security, assigning only eleven employees to its information security team, and repeatedly ignored warnings about security gaps and violations."

Sony disputes this assessment. The company recently told Fortune, “any suggestion Sony Pictures Entertainment should have been able to defend itself against this attack is deeply flawed."

A judge's decision on whether or not to certify a class depends on four factors. Numerosity: The plaintiffs say the number of Sony employees whose personally identifiable information was posted on the Internet numbers in the tens of thousands. Commonality: The plaintiffs say the overarching factual question is what efforts Sony took to safeguard its employees information. Typicality: The plaintiffs say that just like the proposed class, they provided Sony with their personal information during the course of their employment. Adequacy: The plaintiffs say they have no conflicts with class members and will prosecute the case vigorously.

The plaintiffs say they face long-term risk of identity fraud and are leaning on the opinions of data privacy expert Dr. Larry Ponomeon, who reports that the exposed personal information "is precisely what cyber criminals need in order to commit sophisticated identity theft crimes for many years," and in a nod towards the fact that Wikileaks has posted Sony hack documents, also states in a report that, "What makes this case so unique and dangerous is the nature of the employee-related information stolen and subsequently posted to a public Internet site."

Ponomenon also reports that six of the named plaintiffs have already experienced an attempted identity fraud or notice of black market activity after the hack. That's six of eight named plaintiffs in total. It's too small a sample size to draw conclusions, but that's 75 percent of them.

One of the plaintiffs notified that her information is up for sale on the black market is Marcela Bailey, who worked at Sony for more than two decades until February 2013 and whose bio says she oversaw global information technology strategy and direction. On Friday, Sony was scheduled to depose her.

The questions could be probing. Among the many defenses that Sony is putting forward in this lawsuit is comparative negligence — based on the plaintiffs' own negligence —and failure to mitigate. Sony hasn't yet spelled out its theories on how employees may have contributed to the mess.

As for damages, the plaintiffs haven't targeted a specific number, but if there are really tens of thousands in the class, the damages could easily rise to about $50 million. The plaintiffs have submitted a report from an expert in economic analysis and forecasting who concludes that each class member would be entitled to $1,000 in statutory damages and about $637 for two years of credit monitoring and identity theft protection.

Here's the plaintiffs' memorandum of points and authorities in support of the motion for class certification.