A new class-action lawsuit has been filed against Sony that claims the company has been negligent with online security, leading to multiple hostile attacks and the loss of customers' private data. The suit claims that personal information—including credit card numbers and expiration dates—were taken from Sony's servers, and cites a number of confidential witnesses who claimed Sony's security was inadequate. Perhaps most damning is the claim that Sony laid off employees working in security before the attacks.

"Sony was more concerned about their development server being hacked rather than some consumer's data being stolen," according to a confidential witness quoted in the complaint. "They want to protect themselves and not the people that use their servers."

While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact. The suit claims that Sony "spent lavishly to secure its proprietary development server containing its own sensitive information," while not providing nearly the same level of security for the information of its customers.

In fact, the suit alleges that Sony was trying to cut costs in this area. The following paragraph from the complaint explains the claim:

Just two weeks before the April breach, Sony laid off a substantial percentage of its Sony Online Entertainment workforce, including a number of employees in the Network Operations Center, which, according to Confidential Witness 2, is the group that is responsible for preparing for and responding to security breaches, and who ostensibly has the skills to bring the Network's security technology up-to-date.

Another witness stated that PS3 systems are designed to be secured by a random number generator, but in practice each console has the same access number, making each system easier to hack. If you have one code, you have them all. The suit also quotes Sony deputy president Kazuo Hirai as saying that the company will now bring security practices "at least in line with industry standards or better," leading to the conclusion from that prior to the hack security was in fact below industry standards.

Other pieces of evidence from the suit are weaker, such as the claim that Sony's unwillingness to disclose the methods used to encrypt credit card data is evidence that the encryption is "either weak or easily broken."

The suit asks for "appropriate" restitution for class members, credit-monitoring services, and "exemplary damages" if its found that Sony acted in a reckless or negligent manner.