By Claudiu Popa
For the past few days, we’ve been privy to tidbits of information about the recent PlayStation Network breach (heretofore known as the PSN Breach) often dismissive and always shrouded in a certain aura of non-seriousness due to its status as an entertainment industry fixture. Indeed, breaches of government records, personal health information and financial data garner a vastly more pronounced knee-jerk reaction of shock and awe.
By now millions of people are in receipt of a carefully worded letter, written using recycled electrons and no doubt a gazillion internal revisions. By many accounts, some 77 million members of the PlayStation(R) Network have had their information compromised by Sony and Qriocity. Far be it of these companies to acknowledge the existence of organized crime on the Internet, they indicate that “an unauthorized person” has obtained the following information. In other words, “dear loyal customer, we failed to protect the data you entrusted with us and the following information of yours is in the custody of a criminal”.
And they go on to list the information that may now be in enemy hands as a result of this debacle. You may wish to get comfortable at this point:
- Address (city, state/province, zip or postal code)
- Email address
- Birth date
- PlayStation Network/Qriocity password
- Password security answers
- Handle/PSN online ID
- Profile data potentially including purchase history and billing address (city, state/province, zip or postal code)
- Credit card data and expiration date
The letter goes on to say that “if you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained”.
Okay! Thanks, Sony. We’ll let our dependents know that while they depended on us, we depended on you.
I note a couple of interesting things about this letter in addition to the fact that it places the blame on this ‘unauthorized individual’, not on a ‘party’, which might imply that your information is out there likely being mined and correlated with millions of other records from other breaches to build a pretty valuable individual profile about you for use in the months and years to come. No. An ‘individual’. A lone wolf perhaps, with a thirst for tens of millions of individual gaming profiles on the now comatose PSN. Right.
The letter specifies that a “full and complete” investigation is now in effect, while the Network is down. It is quick to point out however that there is “no evidence at this time” (naturally! Since it was sent before the investigation was completed) but there is a possibility that your credit card may have been taken. We just don’t know yet. But there’s a possibility…so “we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports… we regret any inconvenience”. This “out of an abundance of caution”. Bravo! Whomever came up with that phrase at Sony, a tip of my hat to you. If that same “abundance” had been exercised before – by someone – we might not be in this situation.
According to the company, “Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.”
In other words, the priority – now that all client and subscriber data has presumably been stolen and probably has already changed hands – is to start protecting it. Or perhaps the argument is that because there already were security measures in place, it took this long for it to get stolen, so we owe Sony for prolonging the time that we had with our eventually doomed data. But what if security measures were so poor that the data has been compromised many times in the past and this latest breach was only the clumsiest one to date, allowing the ‘individual’ to be detected?
Either way, it’s good to know that this is now the utmost priority!
Let’s be crystal clear here. This kind of retroactive mea culpa is not borne out of morality but comes from a legal requirement to come clean with security breaches. Unfortunately for Sony, it is a massive blemish on its reputation and threatens to further impact its global operations. It underlines its abject failure to protect client data with confidentiality controls (read: encryption) and exposes its lack of compliance with the Payment Card Industry (PCI) standard. This compliance, if previously known or made public, would have legally prevented the company from actually conducting much of its – at least – online business through the PlayStation Network. Instead, a breach of catastrophic proportions had to occur for the company to craft such well turned phrases as those you should now revisit in the preceding paragraph. A class action lawsuit has already been filed. For a somewhat more wordy – but no less patronizing – version of the letter that arrived in my inbox (minus the handy French translation that was thoughtfully provided to Canadian recipients), see the Sony blog.
|About the author:|
|Claudiu Popa, is the CEO of Toronto’s Informatica Corporation (www.InformaticaSecurity.com).Follow him at http://Twitter.ClaudiuPopa.com or http://subscribe.ClaudiuPopa.com to blog rants posts|