backtop


Print 30 comment(s) - last by thurston.. on Apr 30 at 12:15 AM


Customers who registered with the PlayStation Network have had their names, addresses, usersnames, passwords, and possibly credit cards stolen. Sony waited a week before telling the public.
Customer addresses, passwords, usernames, and emails -- and possibly credit cards -- were all taken

Sony Computer Entertainment America LLC is facing a firestorm of criticism following its admission that it handed the management of its PlayStation Network (PSN) to a smaller services provider, Qriocity, who apparently had appallingly bad security, allowing a massive loss of customer data.

In total users' names, usernames, and addresses were all lost.  They also lost users' passwords, indicating that their passwords may not have been hashed -- or at the very least weren't salted (a cryptographic technique to increase the difficulty of a foreign party reversing a hash).

Sony also says that credit card info may have been lost, though it says it isn't sure.

In an update the company admits that it waited an entire week before telling customers that it had lost their info.  The company writes:

There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.

Some in the U.S. government have taken notice and they're not happy.  Senator Richard Blumenthal (D-Connecticut) is "demanding answers" from Sony.  He writes [press release], "When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach."

The loss of credit card info is particularly disturbing.  If the information is used to commit fraud, there's a strong likelihood that at least some customers' scores with the three major U.S. credit bureaus -- Equifax, Experian and TransUnion -- will be damaged. In cases of identity theft, the bureaus are supposed to work with individuals to fix their file and cleanse their record, but that process can take years and much grief.

Some suspect that members of the loosely organized 4Chan affiliated hacker group "Anonymous" may be behind the data theft.  Anonymous members had been organizing over IRC impromptu distributed denial of service raids on Sony's online properties in the wake of the company's recent lawsuit against George "GeoHot" Hotz.

Stealing customers' data seems out of character for most members of Anonymous, but it's important to remember that the group is very loosely organized and that its members have a wide range of philosophies when it comes to security and computer crime, so anything is possible.

Sony even writes:

4. Is the attack by “Anonymous” or another party?

We are currently conducting a thorough investigation of the situation. Since this is an overall security related issue, we cannot comment further at this time.

The company has a FAQ page that outlines many questions people might have and answers.  For example, it writes:

3. Why was Sony not prepared for a compromise of its network?

We are currently conducting a thorough investigation of the situation. Since this is an overall security related issue, we cannot comment further at this time.

It appears that international users, including those in the European Union, may also be affected.  Sony Computer Entertainment Europe's blog carried a press release announcing the breach, similar that in the U.S.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By bobsmith1492 on 4/27/2011 12:04:48 PM , Rating: 2
Protecting the American people is the government's primary role - police, military, and the court system.

Identity theft and monetary theft are both crimes that the government should prosecute; if they prosecute, they should also help defend.

Here's my analogy: steal cash from your house -> police catch criminal -> courts prosecute -> police patrol to help reduce initial rates of cash theft

steal identity and credit card money -> government catches criminal -> courts prosecute -> "cyber" police patrol to help reduce initial rates of identity/credit card theft


By Nfarce on 4/27/2011 12:38:58 PM , Rating: 1
quote:
Here's my analogy: steal cash from your house -> police catch criminal -> courts prosecute -> police patrol to help reduce initial rates of cash theft


And here's how that would go down in my house:

Break in and attempt to steal while I'm there -> get your head blown off while I claim self defense -> scumbag gets stored in a cold dark place until being moved to push up daisies.


By morphologia on 4/27/2011 5:36:15 PM , Rating: 3
Lots of bravado, short on logic, assuming the government is less capable than the average couch commando...you have all the symptoms of Reactionary Syndrome. :P


By rcc on 4/27/2011 2:46:01 PM , Rating: 2
I understand what you're trying to say, and I agree.

However, a Congressman getting involved in this is like using a bulldozer on your flower beds. It won't do the job, it'll tear up the flower beds (and house), but by God the neighbors will know you were serious about your flowers!!


"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki