Print 32 comment(s) - last by Smilin.. on May 6 at 4:02 PM

The lawyers are coming for Sony, after it lost 101 million customers' information.  (Source: David Pear)

Sony has thus far refused to clarify whether users' credit cards were stolen. Its statements suggest that as many as 10 million customers MAY have had their credit cards stolen.  (Source: China Post)

Sony waited two days before informing the FBI of the breach and a full week before informing customers. Many customers are also distraught about their passwords, real names, and email addresses being stolen -- a combo which could give cybercriminals access to users' private online accounts.  (Source: Hard Forums)
After two high profile data losses, company has recruited the FBI and a private firm to crack down

Sony Corp. (6758) has been rocked in recent weeks by a pair of high profile system intrusions. One intrusion caused the outage of the company's Qriocity streaming media and PlayStation Network (PSN) services, along with the loss of 77 million customer records.  A second intrusion at Sony Online Entertainment lost 24 million additional customer records.

Together the intrusions may have lost over 10 million customers credit and debit cards, though Sony is still being unclear about whether or not this valuable information was taken.

I. Stepping up Security

In an effort to clean up its act, Sony has hired privately held security firm Data Forte to track down the cyber criminals.  Data Forte is the brainchild of a former special agent with the U.S. Naval Criminal Investigative Service.

The Japanese electronics giant has also retained cyber-security detectives from Guidance Software Inc. (GUID) and consultants from Robert Half International Inc.'s (RHI) subsidiary Protiviti to assist in the investigation and cleanup.

There is a bit of irony there, in that Robert Half was itself the victim of customer data loss just weeks ago.  Robert Half contracted email service solutions firm Epsilon to manage its client email database.  Like many Epsilon customers, it was shocked to hear that Epsilon's entire database of emails from various client companies had been stolen.

The three investigating firms are working closely with U.S. Federal Bureau of Investigations (FBI) to examine possible identity theft or credit card fraud attempts from the individuals who stole the information.

II.  What's the Status?

One of the frustrating things about the entire incident is that Sony has been extremely unclear about whether users' credit cards were stolen.  In all of its statements it adopted ambiguous legal language-esque passages, which while not saying the cards numbers were stolen, also did not rule out the possibility.

Initially, Sony was also very quiet about the breach itself, waiting a full week before informing customers of its discovery and why the networks were down.  When it did finally inform them, it did offer them a great deal of information about the breach itself (though it offered precious little clarification on some of the most important points, like credit card loss).

Sony, whose Japanese executives have publicly apologized to customers, has also been silent about its ongoing investigation.  

Other security firms, though, who aren't involved firsthand, but reportedly have knowledge of the situation, are speaking out.  In an interview with Reuters, David Baker, vice president of services with electronic security firm IOActive, states, "It's a significant operation."

He said that he believes that Visa and MasterCard have hired their own investigators to probe the incident as well.  If true, this may indicate a greater likelihood that credit card information was indeed lost.

Sony is facing pressure from politicians about its failure to clarify the situation to the public.  Connecticut Senator Richard Blumenthal (D-Conn.) sent a letter to Sony on Tuesday demanding that it clarify whether or not credit cards were stolen.

In the letter he says he will call on the U.S. Attorney General, Eric Holder, to probe whether or not Sony should be held criminally or civilly liable for losing its customers personal information, including, potentially, financial records.

He writes:

I would appreciate a direct and public answer detailing what the company will do in the future to protect its consumers against breaches of their personal and financial information.

Reportedly one thing Sen. Blumenthal and others are upset about is the report that Sony waited two days after finding out about the breach before contacting the FBI.

III. Legal Troubles Ahead for Sony?

Despite its efforts to turn the corner with its internal security and track down the perpetrators of the breach, legal troubles may be looming for Sony, as Sen. Blumenthal's comments might suggest.  

The company has retained the services of Baker & McKenzie, a law firm.  Reportedly the move was designed to retain services to help prosecute cyber-criminals involved in the break in.

However, it may also be designed to beef up Sony's legal defense against customers.

A Toronto law firm on Tuesday announced a $1B CD ($1.05B USD) class-action suit against Sony for breach of privacy, naming a 21-year-old PlayStation user from Mississauga, Ontario, as the lead plaintiff. Lawyers for McPhadden Samac Tuovi LLP, say that the suit's requested damages would allow Sony's customers to purchase fraud prevention and credit monitoring service for two years.

It is likely that similar class action lawsuits will pop up in the U.S. and the European Union. 

Many Sony customers are upset not only about the possible loss of their credit card information, but also the loss of their usernames and passwords.  While hashed, it's possible that sophisticated hackers could reverse the hash, giving them access to potentially millions of users Facebook, Gmail, Twitter, and other accounts, given that they also have the users emails and real names (which were reportedly unhashed and unencrypted).

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

We need some penalty standards here
By mcnabney on 5/4/2011 12:57:03 PM , Rating: -1
I propose that the legislature put some specific penalties in place for data breaches. Instead of wrangling through trials and attorney - a straight formula of damages for released customer information.

Name - $20
Address - $10
Email address - $50
password - $100
CC# - $50
Answers to security quesitons - $50 each

So each of the victims here would get $170+

RE: We need some penalty standards here
By LRonaldHubbs on 5/4/2011 1:25:18 PM , Rating: 2
While I understand the sentiment of wanting to punish companies that mismanage user info, your proposal erroneously assumes that it is possible to build an impenetrable system. Why should we penalize a company that puts real effort into security but ends up getting hacked in spite of their efforts. You could bankrupt a company that genuinely did nothing wrong by forcing them to pay for the crimes of others. Keep things how they are, prosecute the hackers, and prosecute the company if there is evidence of negligence.

RE: We need some penalty standards here
By MrBlastman on 5/4/2011 1:44:27 PM , Rating: 1
Exactly. Even the greatest of security systems will only deter people for a given length of time. Defenses can _always_ be overcome. There is always a way. Humans didn't become the top of the food chain for no reason. We are decades, if not a century away from creating technology as powerful as the human brain as far as AI is concerned. How can we even begin to think we can create a machine now if this is the case that can outsmart all of us, forever?

I'm completely against putting in to law a set of penalties. I argue that we should let the free markets decide the fate of any company that makes a large a blunder as Sony has.

By nolisi on 5/4/2011 2:27:05 PM , Rating: 1
I argue that we should let the free markets decide the fate of any company that makes a large a blunder as Sony has.

The free market won't provide reparations for individuals affected by the breech who put their trust in Sony. Sony took the risk of taking consumer data, and it has a responsibility to safegaurd it.

But let's play out the free market scenario and pretend 101 million people are outraged and the world's individuals stop using Sony products for fear of data breaches. What will happen to Sony? The free market principles dictate that Sony will go out of business, right?

Wrong. Sony not only does business with individuals, but other corporations, licensing out technology, selling components, etc with all the IP it has created and purchased. It will survive because of the cooperation of other businesses and its shear market power.

Will Sony suffer financially as a result of this? A bit. Will it matter/make a difference? Probably not. Shareholder prices might go down and they may suffer a decline in product shipments, but the people who will truly feel the impact the most are going to be the employees whose jobs are cut as a result of the declining sales that resulted from this massive mismanagement; and given the precedents set in the last several years of failing companies, they will still find a way to reward the decision makers who are ultimately responsible with bonuses.

The free market almost never issues responsibility to those who made the actual decisions; worst case scenario for Sony is that instead of shareholder prices and executive pay/bonuses getting reduced, they'll just cut jobs to make up the difference.

RE: We need some penalty standards here
By mcnabney on 5/4/2011 1:46:01 PM , Rating: 2
And what are the costs for the 101 MILLION people that now have to change everything in their online life? Just because there is a large scale doesn't mean that every one of those people is not damaged in some way. These troves of personal data NEED better protection, and if a few companies that can't seem to protect it go bankrupt, so be it. (all data except passwords were not encrypted and not hashed, the password had a salt-free hash, so they can be reverse engineered since the hackers are going to know a lot of real passwords to match up with the hashed ones they stole) This almost falls on the line of a restaurant giving customers food poisoning. An obvious negative consumer impact that WAS preventable. Sony's problem is the scale. This isn't some little break-in with 20-30k email addresses stolen. This is their entire customer file for a hundred million clients.

By LRonaldHubbs on 5/4/2011 3:19:11 PM , Rating: 2
Your argument here is inconsistent. What I disagreed with was your statement that there need to be set rules for damages when user info is compromised. Now you are talking about Sony specifically, which is not the same argument. As I said above, if a company is shown to have been negligent, then they deserve to pay. However, your proposal was to ALWAYS make the company pay out, and that is ridiculous. THAT is what I took argument with. Put the straw man away and defend your original position.

By callmeroy on 5/4/2011 1:28:39 PM , Rating: 2
No way Jose!

$170 is all your ID is worth to you?

Screw that add some zero's my friend then get back to me...

If your info is stolen and someone is literally using your ID that is a nightmare to straighten out -- it can honestly take you years to correct your credit alone and rebuild your reputation in some cases...if that's even possible.

It may sound simple or silly to just talk about it but victims of ID theft go through a fair degree of mental anguish over this stuff....with good reason -- it can drastically effect your credit history with then impacts what you pay for new loans or even your chance for getting the loan in the first place, plus just the uneasy feeling knowing some jack hole knows all your info -- your address your SSN your DOB...your CC numbers...what bank you go to...

They can go nuts and YOU pay for it..not them.

So yeah tens of thousands of dollars is much more fair...

RE: We need some penalty standards here
By invidious on 5/4/2011 4:11:19 PM , Rating: 1
Everyone on PSN signed a contract acknowledging and accepting what Sony was doing with their personal data. As long as Sony holds up their end of the contract and provided a reasonable level of security they are most likely not liable for any damages. This lawsuit needs to prove that Sony was negligent, not just that the plaintiffs were damaged.

By bodar on 5/4/2011 7:36:02 PM , Rating: 2
Sony is supposed to be PCI DSS compliant. So why don't they KNOW whether CC data was compromised? Isn't that why we set standards for consumer data security? I don't know.

Technical Guidelines for Protecting Stored Payment Card Data

At a minimum, PCI DSS requires PAN [primary account number] to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs. Software solutions for this requirement may include one of the following:
• One-way hash functions based on strong cryptography – also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside.
• Truncation – removing a data segment, such as showing only the last four digits.
• Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.
• Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”

Maybe Sony did things by the book and still got hacked anyway, but if you ask Anton Chuvakin, Sony crapped the bed... big time.

It could be that they got tunnel-vision, did only what was necessary to be compliant and said, "hey, screw everything else". If that's the case, then they should be liable for damages, IMO.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki