Corp. (6758) has been rocked in
recent weeks by a pair of high profile system intrusions. One intrusion caused
the outage of the company's Qriocity streaming media and PlayStation Network
(PSN) services, along with the loss
of 77 million customer records. A second intrusion at Sony Online
24 million additional customer records.
Together the intrusions may
have lost over 10 million customers credit and debit cards, though Sony is
still being unclear about whether
or not this valuable information was taken.
I. Stepping up Security
In an effort to clean up its act, Sony has hired privately held security firm
Data Forte to track down the cyber criminals. Data Forte is the brainchild
of a former special agent with the U.S. Naval Criminal
The Japanese electronics giant has also retained cyber-security detectives from
Guidance Software Inc. (GUID) and consultants from
Robert Half International Inc.'s (RHI) subsidiary Protiviti to
assist in the investigation and cleanup.
There is a bit of irony there, in that Robert Half was itself the victim of
customer data loss just
weeks ago. Robert Half contracted email service solutions firm
Epsilon to manage its client email database. Like many Epsilon customers,
it was shocked to hear that Epsilon's entire database of emails from various
client companies had been stolen.
The three investigating firms are working closely with U.S.
Federal Bureau of Investigations (FBI) to examine possible identity
theft or credit card fraud attempts from the individuals who stole the
II. What's the Status?
One of the frustrating things about the entire incident is that Sony has been
extremely unclear about whether users' credit cards were stolen. In all
of its statements it adopted ambiguous legal language-esque passages, which
while not saying the cards numbers were stolen, also did not rule out the
Initially, Sony was also very quiet about the breach itself, waiting a full
week before informing customers of its discovery and why the networks were
down. When it did finally inform them, it did offer them a great deal of
information about the breach itself (though it offered precious little
clarification on some of the most important points, like credit card loss).
Sony, whose Japanese executives have publicly apologized to customers, has also
been silent about its ongoing investigation.
Other security firms, though, who aren't involved firsthand, but reportedly
have knowledge of the situation, are speaking out. In an interview with Reuters, David
Baker, vice president of services with electronic security firm IOActive,
states, "It's a significant operation."
He said that he believes that Visa and MasterCard have hired their own
investigators to probe the incident as well. If true, this may indicate a
greater likelihood that credit card information was indeed lost.
Sony is facing pressure
from politicians about its failure to clarify the situation to the
public. Connecticut Senator Richard Blumenthal (D-Conn.)
letter to Sony on Tuesday demanding that it clarify whether or not
credit cards were stolen.
In the letter he says he will call on the U.S.
Attorney General, Eric Holder, to probe whether or not Sony should be held
criminally or civilly liable for losing its customers personal information, including,
potentially, financial records.
I would appreciate a direct and public answer detailing what the
company will do in the future to protect its consumers against breaches of
their personal and financial information.
Reportedly one thing Sen. Blumenthal and others are upset about is the report
that Sony waited two days after finding out about the breach before contacting
III. Legal Troubles Ahead for Sony?
Despite its efforts to turn the corner with its internal security and track
down the perpetrators of the breach, legal troubles may be looming for Sony, as
Sen. Blumenthal's comments might suggest.
The company has retained the services of Baker &
McKenzie, a law firm. Reportedly the move was designed to retain
services to help prosecute cyber-criminals involved in the break in.
However, it may also be designed to beef up Sony's legal defense against customers.
A Toronto law firm on Tuesday announced a $1B CD
($1.05B USD) class-action suit against Sony for breach of privacy, naming
a 21-year-old PlayStation user from Mississauga, Ontario, as the lead
plaintiff. Lawyers for McPhadden Samac Tuovi LLP, say that the
suit's requested damages would allow Sony's customers to purchase fraud
prevention and credit monitoring service for two years.
It is likely that similar class action lawsuits will pop up in the U.S. and the
Many Sony customers are upset not only about the possible loss of their credit
card information, but also the loss of their usernames and passwords.
While hashed, it's possible that sophisticated hackers could reverse the
hash, giving them access to potentially millions of users Facebook, Gmail,
Twitter, and other accounts, given that they also have the users emails and
real names (which were reportedly unhashed and unencrypted).
quote: Technical Guidelines for Protecting Stored Payment Card DataAt a minimum, PCI DSS requires PAN [primary account number] to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs. Software solutions for this requirement may include one of the following:• One-way hash functions based on strong cryptography – also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside.• Truncation – removing a data segment, such as showing only the last four digits.• Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.• Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”