Several of the cases presented to different district courts in California have accused Sony of negligence and violation of their contracts with users of the PlayStation Network.
Both suits seek damages and class-action status.
Sony did not comment on the lawsuits overnight but said it was working with investigators and would restore services only when it was confident the network was secure.
The PlayStation Network and Qriocity streaming music service were turned off on April 20 following an “external intrusion”, according to Sony spokesman Patrick Seybold.
“We are currently working with law enforcement on this matter as well as a recognised technology security firm to conduct a complete investigation,” Seybold said in a blog posted overnight on the PlayStation website.
“This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.”
Launched in November 2006, the PlayStation Network allows PlayStation console users to play games online, challenge others on the internet, stream movies or get other services.
The Japanese electronics giant said it was possible hackers had taken users’ credit-card data.
“While all credit-card information stored in our systems is encrypted and there is no evidence at this time that credit-card data was taken, we cannot rule out the possibility,” Seybold said, warning that “we are advising you that your credit-card number and expiration date may have been obtained”.
Sony said it had emailed all 77 million PlayStation Network users worldwide to warn them that their data may have been stolen.
The lawsuit filed in southern California on behalf of a Michigan PlayStation Network user contended that the security breach resulted from Sony’s “failure to use reasonable care and maintain appropriate security procedures”.
The lawsuits also faulted Sony for not alerting PlayStation Network users until April 26 about the hacking, which the company reportedly discovered between April 17 and 19.
The stolen information can be found in people’s passwords, dates of birth and other personal data that can be used to hack into online accounts, or to mimic them on the Internet.