Sony Agrees To $15 Million Payout, Free PS3 Games In PlayStation Breach Settlement


Sony has agreed to pay $15 million to users of its services impacted by its massive 2011 data breach and nearly monthlong outage of its popular PlayStation Network and Qriocity music service in 2011.

Sony Computer Entertainment America indicated its support of the settlement in documents filed in U.S. District Court of Southern California on June 13. If the federal judge approves the terms, the settlement reached will put to rest 65 class action lawsuits that were filed against Sony following the breach. It would give U.S. residents who held PlayStation Network, Qriocity or Sony Online Entertainment accounts prior to May 15, 2011, eligibility to apply for losses associated with the breach.

Sony agreed to pay out a free PS3 or PSP game, three free PS3 themes or a free three-month subscription to PlayStation Plus. It also agreed to pay out account balances of $2 or more that had been inactive since the intrusions. Account holders of its Qriocity service who did not have a PlayStation Network account would be eligible for a free month of Music Unlimited from the service. Under the agreement, Sony Online Entertainment account holders would get a $4.50 credit.

[Related: eBay Password Breach Prompts Security Best Practices Review]

In addition Sony agreed to reimburse out-of-pocket charges of up to $2,500 due to actual identity theft associated with the breach. Account holders must provide documentation proving that the theft was caused by the intrusions, according to the settlement.

In January, the plaintiffs in the case were dealt a blow when a federal judge dismissed many of the negligence claims in the lawsuit. As part of the settlement agreement, Sony denies any claims of wrongdoing or that it "violated any laws or did anything wrong," according to the court documents outlining the settlement.

Solution providers say the agreement, if approved, is only a minor inconvenience for Sony, which had estimated the costs associated with the data breach at more than $171 million. The Sony data breach took place in April 2011 and impacted at least 77 million PlayStation account holders, making it one of the largest data breaches at the time. The Sony breach exposed login credentials, names, addresses, phone numbers and email addresses of account holders.The tally of those impacted grew an additional 24.6 million after investigators discovered attackers also penetrated systems associated with Sony Entertainment in another breach. The company offered U.S. PlayStation users one year of identity theft protection, immediately following the breach. 

The high-profile and broad, global scope of the Sony data breach took attention off of TJX Corp., which had suffered a serious credit card breach in 2007, impacting 45 million credit and debit card holders. In that instance, criminals gained access to the data by targeting weak Wi-Fi access points at the retailers T.J. Maxx, Marshalls, and other brick-and-mortar locations.

The Sony breach is sometimes a topic of discussion with clients who are concerned about service disruption and data security in the cloud, said Michael Aquino, director of cloud services at Chesapeake, Va.-based Cetan, a managed services provider.

"It's a big deal to have something come down or be brought offline and have the whole world out there to see it," Aquino said. "Service providers that want to remain in business will address the client's risk tolerance and ensure their service level needs are met."

NEXT: Sony Pays Breach Fine, Fights Insurer