Sony Insurer Refuses Payout For Data Breach

One of Sony’s insurance companies has asked a US court to absolve it of any liability for losses related to the recent data breaches at the company.

Zurich American Insurance filed a lawsuit on Wednesday, arguing that Sony’s insurance policies do not cover liabilities arising from incidents such as data breaches. Legal papers filed by Zurich reveal that 55 class action lawsuits are pending in the US because of the breaches.

100 million users’ details breached

Earlier this year Sony admitted to losing account information for 77 million PlayStation Network and Qriocity users between 17 April and 19 April. The data included names, email addresses and phone numbers, and there were reports that the hackers had also stolen credit card information.

Then on 2 May security consultants uncovered a second breach, carried out between 16 April and 17 April. Their findings indicated that personal information from about 24.6 million Sony Online Entertainment accounts may have been stolen, as well as certain information from an outdated database from 2007.

This took the total number of user details that have been hacked to over 100 million. The hack has reportedly cost the company approximately $171.2 million (£106m) in losses.

Sony originally blamed Anonymous, claiming the breach had taken place while it was fending off a denial of service attack from the hacking group. However, Anonymous has denied any involvement with the incident.

Despite this, hackers were found to be bragging on online forums that they had a database of 2.2 million credit cards in their possession, which they were threatening to sell for up to $100,000 (£60,000).

Sony has reportedly demanded that Switzerland-based Zurich Insurance “defend and potentially indemnify them from class-action lawsuits, miscellaneous claims and possible probes by state attorneys general over the hacking”. However, Zurich claims it is “not obligated to defend or indemnify any of the Sony defendants for the claims asserted”.

Zurich suffers breach of its own

Last year, Zurich Insurance was hit with a record fine of £2.28 million, after its sister company Zurich South Africa lost an unencrypted backup tape containing the financial personal information of around 46,000 policy holders.

The tape, which was lost during an apparent routine transfer to a data storage centre in South Africa in 2008, was not reported missing until more than a year later. The Financial Services Authority (FSA) said the security breach could have exposed customers to “serious financial detriment” – although there is no evidence of data being compromised.

“Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data,” said Margaret Cole, the FSA’s director of enforcement and financial crime. “Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”