Wednesday, April 27, 2011

Sony faces lawsuit, government investigations over PSN data breach

Sony on Tuesday said that at least some personal information had been lost in the data breach of its PlayStation Network (PSN) and Qriocity services. On Wednesday, both the U.S. and U.K. governments began looking into the breach, and just how long Sony knew certain details of the hacking incident.

Senator Richard Blumenthal (D-CT) sent a letter to Sony Computer Entertainment America (SCEA) CEO Jack Tretton. In part, Blumenthal said:
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.
Based on the earlier post from Sony, it didn't seem as though the company intended to do anything regarding credit monitoring or other such services. In fact, SCEA said it wasn't sure that credit card information was stolen, which is perhaps its (attempted) out in terms of the free credit reporting service access that Blumenthal says the 75 million members of PSN should receive.

Meanwhile, the U.K.'s Information Commissioner Office (ICO) says it is looking into whether or not Sony was did enough to protect sensitive user information, and if the SCEA notified its customers in a timely manner. The ICO is a U.K. government agency that says on its website that its mission is "to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." The ICO said:
"The Information Commissioner's Office takes data protection breaches extremely seriously. Any business or organization that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure."
In the first of what may be many lawsuits, Kristopher Johns, 36, of Birmingham, AL, filed a suit in the U.S. District Court for the Northern District of California. He accused Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

Update: Sony said that credit card data, but not personal data, was encrypted, in a new update posted late Wednesday. The company said:
The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

No comments: