What Happened?
Sometime between April 17 and April 19, 2011, hackers broke into the Playstation Network (Bloomberg). On Wednesday, April 20, 2011, Sony shut down the PlayStation Network and Qriocity services in response to the intrusion, but did not inform consumers of the intrusion. (Bloomberg; Seybold 04/26/2011).
Sony lacked the in-house expertise to evaluate the intrusion, but instead of informing consumers about the intrusion so that they might mitigate any possible damage, this information was kept secret.
By Tuesday, Sony had “reported the breach to the Federal Bureau of Investigation in San Diego, which specializes in compute r crime”( Stelter & Bilton). To provide the FBI with information about the case you can call the FBI headquarters at (202) 324-3000.” (Snider).
Although Sony executive Patrick Seybold, Sr. Director, Corporate Communications & Social Media, claims that they “Quickly [took] steps to enhance security and strengthen our network infrastructure” (Seybold). Journalists are questioning how “quick” Sony’s response was given the intrusion occurred around April 18th and clients were not informed about the possibility that their information was compromised until Tuesday April 26th (Theriault).
Moreover, consumers and journalists are not impressed with the fact that Sony did not already have a safe system, but instead waited for this intrusion before “re-building [their] system to provide [users] with greater protection of [their] personal information” (Seybold ). Even Senator Richard Blumenthal, contacted Sony, “saying he was troubled that the company had not notified customers sooner about the breach” (Ogg).
Should Users be Concerned?
Although Ann Carrns, blogging for the New York Times, claims that users should “remain calm”, what she actually means is that those consumers who used credit cards rather than debit cards and who regularly monitor their credit card statements and bank statements and can afford a “limited” debit card loss, should remain calm. Oh and anyway, these types of hackers, Carrns writes, “are often looking for notoriety, rather than to resell financial information” (Carrns).
Wall Street Journal blogger, Ben Rooney, indicates that the type of data stolen is very valuable, “complete data including billing address, email addresses and personal information like dates of birth, represent the rich data that allow highly targeted attacks against individuals. This sort of data commands much higher prices—and is much sought after by cyber criminals” (Rooney).
“With the sort of data compromised it is possible for criminals to commit identity theft and use your details to open bank accounts, take out mobile phone contracts, and even re-direct your mail. Security professionals suggest obtaining a copy of your credit report which should give a complete account of your status as well as any searches against your credit history” (Rooney).
Graham Cluley, of naked security, the IT security blog of the year, explains how hackers could use the stolen information to “[b]reak into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you” (Cluley).
Carrns optimism seems to be unfounded, given that senior threat researcher, Kevin Stevens from the security firm Trend Micro, “said that the forums indicated the hackers had a database containing the personal information, and that they were hoping to sell it “for upwards of $100,000.” Apparently the hackers had even tried to sell the information back to Sony, but they didn’t receive a reply from the Japanese electronics company” (Mogg). I guess these are the rare hackers that prefer millions of dollars over notoriety.
How are users responding?
Some users have already begun to report fraudulent charges on their credit and debit cards. One user said that “a ticket was purchased through a German airline for nearly $600” leaving her with a negative account balance of $500 (Kuchera).
An Alabama user has already filed a class action suit against Sony in the 9th District court, asking among other things for monetary compensation and free credit card monitoring (Ogg) . The complaint asks for:
“1)An order certifying this case as a class action and appointing Plaintiff and his counsel to represent the Class.
2) Restitution and disgorgement of all amounts obtained by Defendant as a result of its misconduct, together with interest thereon from the date of payment, to the victims of such violations.
3) Actual damages for injuries suffered by Plaintiff and the Class.
4) Compensatory money damages according to proof.
5) Statutory damages according to proof.
6) An order requiring Defendant to immediately cease its wrongful conduct as set forth above; enjoining Defendant from continuing to falsely market and advertise, conceal material information and conduct business via the unlawful and unfair business acts and practices complained of herein; ordering Defendant to engage in a corrective notice campaign; and requiring Defendant to refund to Plaintiff and all members of the Class the funds paid to Defendant for the defective PlayStations and PSN services; ordering Defendant to pay for credit card monitoring for Plaintiff and all members of the Class.
7) Punitive damages.
8) Attorneys’ fees and costs.
9) For statutory prejudgment interest.
10) For such other relief as this Court may deem just and proper” (JOHNS v. SONY).
In short the complaint alleges that Sony did not take “reasonable care to protect, encrypt, and secure the private and sensitive data of its users” and that this precluded consumers from being able to make informed decisions about how to best mitigate the possible damages that could result from having their information stolen (Ogg; Clark).
Senators Dick Blumenthal, and Bobby Rush have both responded to the breach with press releases. Blumenthal berates Sony execs in a letter, for mishandling the breach and for failing to have adequate security precautions. Rush gets to the heart of the matter, and calls for Republican senators to work with democrats to get a bill passed that would require corporations to take better security precautions with users data (Blumenthal; Rush).
What repercussions will this have for Sony?
Sony will likely face staggering legal bills, not to mention that they will likely want to start placating consumers financially, even before the suit is settled or tried (Clark). Whether or not gamers will vote Sony off the island by, is yet to be seen, but at least one journalist thinks they would be crazy not to. “… the gamer (and any sane consumer) also says this: If you are cavalier with my personal information I will punish you by walking away” (Schiesel).
References
- Bloomberg, Birmingham man sues Sony over PlayStation security breach, Al.com, Apr 27, 2011, available at http://blog.al.com/wire/2011/04/birmingham_man_sues_sony_over.html
- Blumenthal Demands Answers from Sony over Playstation Data Breach, Tuesday, April 26, 2011, available at http://blumenthal.senate.gov/press/release/index.cfm?id=82698973-255D-4B92-9E18-39E5937C9361
- Carrns, Ann, The PlayStation Breach: Why You Should Remain Calm, NYT Bucks: Making the Most of Your Money, Apr 27, 2011, available at http://bucks.blogs.nytimes.com/2011/04/27/the-playstation-breach-why-you-should-remain-calm/?scp=3&sq=PlayStation%20Network&st=cse
- Clark, Matt, PlayStation Breach Could Cost Sony $24 Billion, Plus Lawsuits, MTV Multiplayer Blog, Apr. 27, 2011, available at http://multiplayerblog.mtv.com/2011/04/27/playstation-breach-could-cost-sony-24-billion-plus-lawsuits/
- Cluley, Graham, PlayStation Network hacked: Personal data of up to 70 million people stolen, nakedsecurity, April 26, 2011, available at http://nakedsecurity.sophos.com/2011/04/26/playstation-network-hacked-personal-information-of-up-to-70-million-people-stolen/
- How to Protect Your Data on PlayStation (VideoWSJ), available at http://online.wsj.com/video/digits-how-to-protect-your-data-on-playstation/D13BCEA4-C6AC-4557-8D6E-15F075F11A0A.html
- KRISTOPHER JOHNS v. SONY COMPUTER ENTERTAINMENT AMERICA LLC, Class Action Complaint, available at http://www.techfirm.com/storage/JohnsvSony-Complaint-FINAL.pdf
- Kuchera, Ben, Ars readers report credit card fraud, blame Sony, Opposable Thumbs: What you need to know to play, http://arstechnica.com/gaming/news/2011/04/ars-readers-report-credit-card-fraud-blame-sony.ars
- McHugh, Molly, First lawsuit against PlayStation filed as users report credit card fraud, Digital Trends, Apr. 27, 2011, available at http://www.digitaltrends.com/gaming/first-lawsuit-against-playstation-filed-as-users-report-credit-card-fraud/
- Mogg, Trevor, Hacker forums suggest PlayStation data is up for sale, Digital Trends, April 28, 2011, available at http://www.digitaltrends.com/gaming/hacker-forums-suggest-playstation-data-is-up-for-sale/
- Ogg, Erica, Sony sued for PlayStation Network data breach, cnet News, Apr. 27, 2011, available at http://news.cnet.com/8301-31021_3-20057921-260.html#ixzz1KlukXMon
- Rooney, Ben, Sony Hack: Steps Users Should Take, WSJ Tech Europe, Apr 27, 2011, available at http://blogs.wsj.com/tech-europe/2011/04/27/sony-hack-steps-users-should-take/?KEYWORDS=PlayStation+Network
- Rush, Robert, Statement by U. S. Rep. Bobby L. Rush on the Breach of Privacy Information by 77 Million Users of the Sony PlayStation 3 and PlayStation Portable Video Games, April 27, 2011, available at http://www.house.gov/apps/list/press/il01_rush/pr_sony_110427.shtml
- Schiesel, Seth, PlayStation Security Breach a Test of Consumers’ Trust, New York Times, Apr 27, 2011, available at http://www.nytimes.com/2011/04/28/arts/video-games/sony-playstation-security-flaw-tests-consumer-trust.html
- Seybold, Patrick, Clarifying a Few PSN Points, April 26, 2011, available at http://blog.us.playstation.com/2011/04/26/clarifying-a-few-psn-points/
- Seybold, Patrick, Update on PlayStation Network and Qriocity, Playstation U.S. Blog, April 26, 2011, available at http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
- Snider, Mike, F.B.I. is on the Sony PlayStation Network breach case, USA TODAY, Apr 27, 2011, available at http://content.usatoday.com/communities/gamehunters/post/2011/04/fbi-is-on-the-sony-playstation-network-breach-case/1
- Stelter, Brian & Nick Bilton, Sony Says PlayStation Hacker Got Personal Data, New York Times, April 26, 2011, available at http://www.nytimes.com/2011/04/27/technology/27playstation.html?scp=2&sq=PlayStation%20Network&st=cse
- Theriault, Carole, Sony PlayStation data breach fiasco: what bugs me about it, nakedsecurity, April 27, 2011, available at http://nakedsecurity.sophos.com/2011/04/27/sony-playsation-data-breach-fiasco/
- Thorsen, Tor, First PSN outage, breach class-action lawsuit filed, GameSpot, Apr 27, 2011, available at http://www.gamespot.com/news/6310468.html