Gartner Blog Network


Sony Sued For Losing Unprotectable Data

by Jay Heiser  |  December 18, 2014  |  Comments Off on Sony Sued For Losing Unprotectable Data

The gist of a new lawsuit against Sony is that by failing to adequately protect social security numbers, they have doomed former employees to a lifetime of credit fraud.

“The class-action suit was filed by Michael Corona and Christina Mathis, both of whom had their social security numbers made public after a hacking group calling itself Guardians of Peace dumped studio documents, employee information and salary charts online….Corona was an employee from 2004 to 2007. The suit says that he has so far spent $700 for a year of identity theft protection.” Sony hit with Class Action Lawsuit by ex-Employees

It boggles the mind to think that every current and former Sony employee immediately needs to pony up $300-700 to hire a personal financial security guard.  I don’t actually believe that they do, but if you are trying to generate sympathy for a lawsuit, why not claim that anyone ever employed by Sony has just lost hundreds of dollars?

All other ramifications of the Sony hack aside, as in the hack against JP Morgan Chase reported several months ago, the form of data in question in this lawsuit consists of a phone book. The personal data stolen from Sony that is referred to in this lawsuit consists of personal identifiers.   Names and addresses are matters of public record and can never be protected.  Social Security Numbers (SSNs) are theoretically not matters of public record, but the awkward truth is that so many different parties use them that they can never be protected from somebody who is highly motivated to obtain them.

Motivation is the systemic problem here: if possession of someone’s SSN is sufficient information to commit credit fraud, then widespread credit fraud is inevitable.  The CISO asked to protect names and SSNs has been handed a sysyphean task that can never be successful.  The banking, card processing, and legal systems have inadvertently contributed to an unsustainable situation in which individuals have no choice but to share their SSN and name with countless commercial and governmental organizations.  Those organizations have no choice but to maintain multiple copies of that personal data, and often must share it externally in support of business process.  If that data can be exploited to commit fraud, it is inevitable that people will be motivated to steal it.

Further security failures are inevitable. No organization handling large amounts of personal data can ever hope to fully protect it from theft. All they can do is try to encourage the crooks to attack some other organization instead.

If Sony employees actually do need to pay money out of pocket to protect themselves, it should be viewed as evidence of a systemic problem with the legal structure of our financial system.  The problem isn’t that SSNs are not being adequately protected–the problem is that they are being inappropriately used.  Instead of pretending that we can actually protect personal information, we need to better protect consumers from creditors that are not adequately authenticating the individuals they give credit to.

Category: it-governance  risk-management  security  

Tags: privacy  security  ssn  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of SaaS and public cloud risk and control. Current research areas include SaaS governance, cloud provider transparency and digital business risks.Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.