News

Sony Security Breach Among the Biggest in History

Multiple reports focus on the massive Sony breach involving more than 75 million account holders with PlayStation Network. Account holders have received a warning that:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports.

I’ll have more to say on the issue in my column next week.

3 Comments

  1. Looking forward to what you have to say on this. Also class action lawsuit was filed against Sony on Wednesday in the US:

    http://bit.ly/jgb9XB

  2. 75 million?
    The whole 70+ million accounts numbers is misleading because many, many of those are fake accounts. I personally have 5 different PSN accounts and they all have fake data on them. Having said that, it’s still a mammoth amount of user info that got stolen. Also, in a lot of ways CC information being stolen is trivial compared to user information like addresses, usernames, passwords, secret question answers, etc. You can cancel CC’s, but moving isn’t something most people can do, and you can’t change the answer to a question without making it useless. It’s also information that can come back to haunt you a lot later compared to CC’s which expire.

    Then there’s Sony assurance that the CC data was encrypted. But of course encryptions can be broken. All this really means is Sony has covered their behinds since while user information wasn’t encrypted, it’s fairly common practice not to. Even though Sony’s PSN terms of use clearly states they are not responsible for the user information held on their servers, it doesn’t mean they are allowed to be grossly negligent. The fact the CC’s were encrypted just absolves them of gross negligence.

    The whole hacker log bit with how the PS3 was handling CC data over SSL in plain text is misconstrued because you don’t normally obscure information on the user end. As long as the PS3 wasn’t holding the information in plain text, Sony again isn’t at fault. Yes, it would be nice to encrypt the data being sent with one key and then have the SSL encryption over that with another key, not many systems do that.

    Then there’s the whole network intrusion itself. No network is safe from intrusion, people with the ability to hack into networks have proven that over and over. Probably the only safe network is one not connected to the outside world, which in turn would make the network not very useful. Sony simply got targeted because they pissed off the wrong crowd.

    The “how” of the intrusion I think is very important here too. If rumors are true, the entire thing touched off with PS3 jailbreakers getting access to the PSN dev network to allow them to play online with their jailbreaked consoles. This in turn allowed them access to the PSN store for free downloads. This in turn allowed some of the more ingenius users to get deeper access to the PSN service including user information databases. Which ultimately means Geohot and his release of the PS3’s security encryption keys was what led to this mess in the first place. But that’s a lot of “ifs”.

    As a consumer though, the biggest issue I have with all of this, aside from having my fake data stolen (hah!), is how long it took Sony to announce the information. They surely must have had some idea that after they discovered the intrusion that internal user information had been compromised. Yet they took a week to let people know. My bank warns me about a “possible” security breach with say my debit card all the time. The possibility of a breach should have been enough to spur Sony into letting their user base know the minute they even suspected anything.

  3. US customers get more advice
    the blog post on sony’s site gave much more information than the email sent to Canadian residents:
    http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

    The email to Canadian users was also sent the next day.

    Bad service.