Welcome to our fully functional beta site. We welcome all comments
informed!
The Informatica blog - Authored by Claudiu Popa

Updated PSN Breach: Inventory of what you may have lost

Catastrophic Playstation Network Data Breach: Inventory of what you may have lost
PSN Breach
For the past few days, we’ve been privy to tidbits of information about the recent PlayStation Network breach (heretofore known as the PSN Breach) often dismissive and always shrouded in a certain aura of non-seriousness due to its status as an entertainment industry fixture. Indeed, breaches of government records, personal health information and financial data garner a vastly more pronounced knee-jerk reaction of shock and awe.

By now millions of people are in receipt of a carefully worded letter, written using recycled electrons and no doubt a gazillion internal revisions. By many accounts, some 77 million members of the PlayStation(R) Network have had their information compromised by Sony and Qriocity. A new report indicates that a further 25 million accounts, this time with debit and credit card data, have also been compromised. Far be it of these companies to acknowledge the existence of organized crime on the Internet, they indicate that “an unauthorized person” has obtained the following information. In other words, “dear loyal customer, we failed to protect the data you entrusted with us and the following information of yours is in the custody of a criminal”. And they go on to list the information that may now be in enemy hands as a result of this debacle. You may wish to get comfortable at this point:

1.    Name
2.    Address (city, state/province, zip or postal code)
3.    Country
4.    Email address
5.    Birth date
6.    PlayStation Network/Qriocity password
7.    Login
8.    Password security answers
9.    Handle/PSN online ID
10.   Profile data potentially including purchase history and billing address (city, state/province, zip or postal code)
11.   Credit card data and expiration date
12.   Debit card information

The letter goes on to say that “if you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained”.

Okay! Thanks, Sony. We’ll let our dependents know that while they depended on us, we depended on you.

I note a couple of interesting things about this letter in addition to the fact that it places the blame on this ‘unauthorized individual’, not on a ‘party’, which might imply that your information is out there likely being mined and correlated with millions of other records from other breaches to build a pretty valuable individual profile about you for use in the months and years to come. No. An ‘individual’. A lone wolf perhaps, with a thirst for tens of millions of individual gaming profiles on the now comatose PSN. Right.

The letter specifies that a “full and complete” investigation is now in effect, while the Network is down.  It is quick to point out however that there is “no evidence at this time” (naturally! Since it was sent before the investigation was completed) but there is a possibility that your credit card may have been taken. We just don’t know yet. But there’s a possibility…so “we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports… we regret any inconvenience”. This “out of an abundance of caution”. Bravo! Whomever came up with that phrase at Sony, a tip of my hat to you. If that same “abundance” had been exercised before – by someone - we might not be in this situation.

According to the company, “Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.”

In other words, the priority - now that all client and subscriber data has presumably been stolen and probably has already changed hands - is to start protecting it. Or perhaps the argument is that because there already were security measures in place, it took this long for it to get stolen, so we owe Sony for prolonging the time that we had with our eventually doomed data. But what if security measures were so poor that the data has been compromised many times in the past and this latest breach was only the clumsiest one to date, allowing the ‘individual’ to be detected?

Either way, it’s good to know that this is now the utmost priority!

Let’s be crystal clear here. This kind of retroactive mea culpa is not borne out of morality but comes from a legal requirement to come clean with security breaches. Unfortunately for Sony, it is a massive blemish on its reputation and threatens to further impact its global operations. It underlines its abject failure to protect client data with confidentiality controls (read: encryption) and exposes its lack of compliance with the Payment Card Industry (PCI) standard. This compliance, if previously known or made public, would have legally prevented the company from actually conducting much of its – at least – online business through the PlayStation Network. Instead, a breach of catastrophic proportions had to occur for the company to craft such well turned phrases as those you should now revisit in the preceding paragraph. A class action lawsuit has already been filed. For a somewhat more wordy – but no less patronizing – version of the letter that arrived in my inbox (minus the handy French translation that was thoughtfully provided to Canadian recipients), see the Sony blog.
 
On a completely different note:
Amazing what the Americans can do when the Playstation Network is down 
 

Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...
NPC computerRoad warriors, this one's for you. As some of my readers have by now realized, I've been testing an NPC laptop for the past couple of months and come ...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on