The ongoing fallout from last month’s cyber attack at Sony Pictures Entertainment continues this week as two former employees are suing the company after their personal information was exposed as part of the high-profile hack.
Michael Corona and Christina Mathis haven’t worked for Sony Pictures for years, but the former employees both claim that their sensitive personal information — including their names, Social Security numbers, former addresses and other info — was made public in the past month due to “security weaknesses in Sony’s Network.” That’s according to a lawsuit the two filed on Monday in California federal court in which they claim Sony Pictures failed in its legal duty to protect the personal information of current and former employees affected by the hack.
A group identifying itself as Guardians of Peace, or GOP, shut down Sony Pictures’ computer system just before Thanksgiving and have been releasing sensitive company documents on the Internet in subsequent weeks. The hackers posted documents revealing salary information and personal identifying information for thousands of the company’s employees along with other confidential financial documents and passwords for company accounts and computer systems. Over the past few weeks, the hackers have also leaked a mountain of embarrassing e-mail correspondence involving Sony executives — to the point that the company has asked the media to stop publishing excerpts from the once-private messages.
In their lawsuit, Corona and Mathis claim that their personal information was included in the documents the hackers revealed to the world, despite the fact that Corona left the company in 2007 and Mathis has not worked there for 12 years. (The complaint does not specify what the plaintiffs’ roles at Sony were, though it notes that Corona worked for Sony Pictures Entertainment while Mathis was employed by the company’s consumer products arm.) Both Corona and Mathis claim that the release of their information has forced them to spend hundreds of dollars on identity theft protection.
TIME’s Sam Frizell wrote last week about the possibility of employee lawsuits against Sony Pictures, noting that the company’s defense in such a legal action would hinge on whether the company could prove it took the appropriate steps to protect its employees’ personal data.
Monday’s lawsuit alleges that Sony Pictures failed to improve its security after what it describes as a history of data breaches. The suit refers to the 2011 hack of Sony’s PlayStation Network and calls the company “a longstanding and frequent target for hackers.” The complaint also references a recent Gizmodo report that Sony Pictures’ own corporate audit department warned the company about problems with its IT security just months before the November hack. Despite the alleged risk Sony Pictures faced, the company “made a business decision” to not step up its security, the lawsuit claims.
The plaintiffs are asking the court to certify the lawsuit as a class action, which would allow other current and former Sony Pictures employees to join the lawsuit. Corona and Mathis are seeking various damages from Sony Pictures, including at least $1,000 for each class member eventually attached to the lawsuit. They also want the company to pay for five years of credit and bank monitoring services as well as identity theft insurance for all class members.
Sony Pictures declined to comment on the lawsuit.