backtop


Print 32 comment(s) - last by Smilin.. on May 6 at 4:02 PM


The lawyers are coming for Sony, after it lost 101 million customers' information.  (Source: David Pear)

Sony has thus far refused to clarify whether users' credit cards were stolen. Its statements suggest that as many as 10 million customers MAY have had their credit cards stolen.  (Source: China Post)

Sony waited two days before informing the FBI of the breach and a full week before informing customers. Many customers are also distraught about their passwords, real names, and email addresses being stolen -- a combo which could give cybercriminals access to users' private online accounts.  (Source: Hard Forums)
After two high profile data losses, company has recruited the FBI and a private firm to crack down

Sony Corp. (6758) has been rocked in recent weeks by a pair of high profile system intrusions. One intrusion caused the outage of the company's Qriocity streaming media and PlayStation Network (PSN) services, along with the loss of 77 million customer records.  A second intrusion at Sony Online Entertainment lost 24 million additional customer records.

Together the intrusions may have lost over 10 million customers credit and debit cards, though Sony is still being unclear about whether or not this valuable information was taken.

I. Stepping up Security

In an effort to clean up its act, Sony has hired privately held security firm Data Forte to track down the cyber criminals.  Data Forte is the brainchild of a former special agent with the U.S. Naval Criminal Investigative Service.

The Japanese electronics giant has also retained cyber-security detectives from Guidance Software Inc. (GUID) and consultants from Robert Half International Inc.'s (RHI) subsidiary Protiviti to assist in the investigation and cleanup.

There is a bit of irony there, in that Robert Half was itself the victim of customer data loss just weeks ago.  Robert Half contracted email service solutions firm Epsilon to manage its client email database.  Like many Epsilon customers, it was shocked to hear that Epsilon's entire database of emails from various client companies had been stolen.

The three investigating firms are working closely with U.S. Federal Bureau of Investigations (FBI) to examine possible identity theft or credit card fraud attempts from the individuals who stole the information.

II.  What's the Status?

One of the frustrating things about the entire incident is that Sony has been extremely unclear about whether users' credit cards were stolen.  In all of its statements it adopted ambiguous legal language-esque passages, which while not saying the cards numbers were stolen, also did not rule out the possibility.

Initially, Sony was also very quiet about the breach itself, waiting a full week before informing customers of its discovery and why the networks were down.  When it did finally inform them, it did offer them a great deal of information about the breach itself (though it offered precious little clarification on some of the most important points, like credit card loss).

Sony, whose Japanese executives have publicly apologized to customers, has also been silent about its ongoing investigation.  

Other security firms, though, who aren't involved firsthand, but reportedly have knowledge of the situation, are speaking out.  In an interview with Reuters, David Baker, vice president of services with electronic security firm IOActive, states, "It's a significant operation."

He said that he believes that Visa and MasterCard have hired their own investigators to probe the incident as well.  If true, this may indicate a greater likelihood that credit card information was indeed lost.

Sony is facing pressure from politicians about its failure to clarify the situation to the public.  Connecticut Senator Richard Blumenthal (D-Conn.) sent a letter to Sony on Tuesday demanding that it clarify whether or not credit cards were stolen.

In the letter he says he will call on the U.S. Attorney General, Eric Holder, to probe whether or not Sony should be held criminally or civilly liable for losing its customers personal information, including, potentially, financial records.

He writes:

I would appreciate a direct and public answer detailing what the company will do in the future to protect its consumers against breaches of their personal and financial information.

Reportedly one thing Sen. Blumenthal and others are upset about is the report that Sony waited two days after finding out about the breach before contacting the FBI.

III. Legal Troubles Ahead for Sony?

Despite its efforts to turn the corner with its internal security and track down the perpetrators of the breach, legal troubles may be looming for Sony, as Sen. Blumenthal's comments might suggest.  

The company has retained the services of Baker & McKenzie, a law firm.  Reportedly the move was designed to retain services to help prosecute cyber-criminals involved in the break in.

However, it may also be designed to beef up Sony's legal defense against customers.

A Toronto law firm on Tuesday announced a $1B CD ($1.05B USD) class-action suit against Sony for breach of privacy, naming a 21-year-old PlayStation user from Mississauga, Ontario, as the lead plaintiff. Lawyers for McPhadden Samac Tuovi LLP, say that the suit's requested damages would allow Sony's customers to purchase fraud prevention and credit monitoring service for two years.

It is likely that similar class action lawsuits will pop up in the U.S. and the European Union. 

Many Sony customers are upset not only about the possible loss of their credit card information, but also the loss of their usernames and passwords.  While hashed, it's possible that sophisticated hackers could reverse the hash, giving them access to potentially millions of users Facebook, Gmail, Twitter, and other accounts, given that they also have the users emails and real names (which were reportedly unhashed and unencrypted).



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RROD
By Smilin on 5/4/2011 1:14:46 PM , Rating: 1
So how do you guys think Sony is handling this in comparison to the RROD fiasco?

Seems MS took longer to confirm the problem (apples vs oranges?) but then acted more decisively.

When it's all done this is going to be a lot more costly to Sony. MS wrote off what about a billion? 100m customers only need to sue for $10/ea to make that happen.




RE: RROD
By Aloonatic on 5/4/2011 4:02:35 PM , Rating: 2
I think it is apples/oranges, mostly as MS had control over what was happening all the way through, while Sony don't, really.

MS had control in the sense that they could issue a recall and fix a pysical fault that they knew about. That was the up-side of their problem. The down side being that it was a problem that affect x% of machines (my friend's original xBox is still going, and he plays it a lot) so there was a time when they behaved as most large corporations do to a problem like that. Anyone who's watched fightclub knows the basics. Chance of the fault occurring * cost fixing it compared to financial loss due to bad publicity or law suits. Once it was clear that things were going wrong on a large enough scale to make a recal the clearly best option, they went for it. At first they denied it, but eventually started to sort it out, and offered free fixes and a free month of xbox live gold.

Sony on the other hand know that this is a problem that affects lots of people, right from the get-go, so can get started on trying to sort it out knowing that they have a big problem on their hands right away, unlike MS who looked like they sat on their hands for a bit trying to fob their customers off. The flip side is that Sony don't really have control over fixing this problem once they recognise that something has gone wrong and that they need to do something.

Sony are pretty powerless in this now that the cat is out of the bag, which is why I don't think comparing it to the RRoD issue is all that useful on many levels.

Both companies seem to be offering a similar pay off tho, one months free top level subscription. To be fair, many xBox owners seemed happy with this, in payment however long it took MS to fix heir machine, no matter how many times the fault appeared. To fix the problem that yo have as a Sony customer, you're pretty much covered to a large extent by your Credit Card company anyway, and you can change your user names and passwords yourself, so how bad is it really? Hard to say at the moment I suppose, and I'm sure that there are plenty of people who will milk this too, somehow.


RE: RROD
By someguy123 on 5/4/2011 5:17:41 PM , Rating: 2
I'd say this problem is worse than the RROD problem all because of credit information being leaked. Now, there are obviously very good anti-fraud programs, but credit rating programs are just atrocious. It takes a near act of god sometimes to get fraudulent charges off of your record, even if your credit/bank has already returned your funds and issued a new card.

RROD was a problem with an entertainment device, which isn't that big of a deal to lose (though it may be a few mindnumbingly boring weeks for repair). Credit history is a big issue, though, and if people really do have their hands on credit information it can cause tons of headaches and wasted time for those affected. There is also the issue of having your private information spread and receiving piles of spam, digital and physical.

The worst thing this does for Sony is absolutely destroy their credibility as well. I'm sure most people who read about sony losing private information will steer clear from getting anything digitally from sony (like purchasing from the sony store) for a good while.


RE: RROD
By Aloonatic on 5/4/2011 5:35:56 PM , Rating: 3
Just so you know, I wasn't trying to say which problem is/was worse, just that they are different in their nature and what each company is actually are able to do to affect what is happening, so comparing how the 2 companies handle(d) them is not that useful.

For what it's worth, I think you're being a little melodramatic. I doubt if there are many people who are going to be refused loans, credit cards or mortgages because of this. The credit information is probably going to turn out to be little more than an inconvenience for most people, and potentially very annoying for some credit card companies.

It's more the other information that might be useful to fraudsters, wanting to use it to compromise other sites/services or Sony users other accounts using the information that they have gained.

I'd guess that number of people who will actually be directly affected by the Sony problem will be far far fewer than those who were by the RRoD issue, but those that are, might well be affected much more, of course. Both sets of users both live(d) in fear of being affected though.

At the end of the day, both Sony and MS messed up royally, so neither can crow too loud, and nor can their fanboys. It's just another area, as well as trifling issue of consoles sold, where Nintendo won this round I suppose :o)


RE: RROD
By Smilin on 5/6/2011 4:02:35 PM , Rating: 2
Good points.

The responses from the two weren't the same though. MS seemed to take a sledge hammer to the PR problems once they finally acknowledged. They extended the warranty to 3 years retroactively to catch people who had the problem but were out of warranty. This is want really cost them the $1billion.

As I write this though sony seems to be trying the same sledge hammer: they are buying a pretty comprehensive ID theft package for users.

I don't think MS sat on their hands so much as the problem was harder to pin down. Not all RRODs were from the same cause, plus mixed in with the normal ~5% failure rate of consumer electronics.

In Sony's case they knew basically by day 2 or 3 that they had a "100% failure rate". The discovery unfolded immediately instead of over months.

The story isn't over yet though. We'll have to see how Sony handles it. MS clearly learned their lesson: The Kinect has a fan built in when testing shows it's not needed. Rumors are that Sony is going to get hit again this weekend.

PSN users: I'm an XBL user. We both love to sling insults at each other but really we're all gaming brothers. *I* like picking on you but I really don't like anyone else doing so (that's the way siblings work). I hope you're back online soon and I hope they find the culprits.


RE: RROD
By FITCamaro on 5/4/2011 6:27:23 PM , Rating: 2
Microsoft's problem didn't potentially negatively impact every aspect of their customers lives. So taking longer didn't matter.

What I want is to be able to log in and know whether or not I had a credit card on file. But I haven't been able to.


"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki