(Bloomberg) -- The massive hack of Sony Pictures EntertainmentInc.’s computers has spurred what may be the first lawsuit byformer employees accusing the movie company of failing to protectthe personal information of thousands of workers.

Two ex-employees called the breach “an epic nightmare, muchbetter suited to a cinematic thriller than to real life.”

Sony knew it had inadequate measures in place to protect itsdata and suffered breaches twice before this year’s attack, inwhich hackers got into the company’s computer systems and releasedemployee salaries, worker health data, racially tinged e-mailbanter and other sensitive information, according to the complaintfiled yesterday in Los Angeles federal court.

“Sony made a ‘business decision to accept the risk’ of lossesassociated with being hacked,” according to the ex-workers, whoseek to sue on behalf of about 15,000 current and former employeeswhose data was compromised.

Representatives of Culver City, California-based Sony Picturesdidn’t immediately respond to phone and e-mail messages seekingcomment on the lawsuit.

Sony Warned

Sony Corp. was warned about a year ago that hackers hadinfiltrated its network and were stealing gigabytes of data severaltimes a week, underscoring a pattern of lapses predating the recentattack.

The hackers, who haven’t been identified, sifted in late 2013through data from the company’s network, encrypted the informationto cover their tracks and mined it on a regular schedule, said aperson familiar with Sony’s investigation of the breach, who askednot to be named because the findings are confidential.

The two former employees, one a Virginia resident who worked atSony from to 2004 to 2007 and the other a California woman whoworked at Sony from 2000 to 2002, say they have had to buyidentity-theft protection and have spent as much as 50 hourssafeguarding themselves against any possible harm from the stolenpersonal information.

They seek unspecified damages for negligence and violations ofCalifornia and Virginia state laws.

Tough Proof

In general, it’s hard for plaintiffs to prove harm from stolenpersonal data when they haven’t become actual victims of identitytheft, said Jonathan Handel, who teaches entertainment law at theUniversity of Southern California. If actual identity theft hasoccurred, the claims may not be suitable for a class action likethis one, he said.

“It’s a different type of financial harm if I can’t close onbuying a house because of identity theft than if I can’t buy abunch of Tiffany jewelry,” Handel said in a phone interview.

Sony Pictures said in a Dec. 8 letter to its employees, filedwith the California Attorney General’s Office, that the hackers mayhave stolen Social Security, driver’s license and passport numbers,as well as credit-card, compensation and medical information, amongother private data.

The studio said in the letter that it’s offering all employees12 months of identity protection services at no charge through athird-party provider.

The case is Corona v. Sony Pictures Entertainment Inc.,14-09600, U.S. District Court, Central District of California (LosAngeles).

--With assistance from Jordan Robertson and Michael Riley inWashington.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.