Ulf Mattsson, CTO, Protegrity: Making Sense of the Sony Breach
April 2011 by Ulf Mattsson, CTO, Protegrity Corporation
On Tuesday, April 26, Sony warned 77 million PlayStation Network and Qriocity users that an external hacker breached their servers and had gained access to sensitive user data. For background, the PlayStation Network (or PSN) is an online multiplayer gaming and digital media delivery service for use with the PlayStation 3 and PlayStation Portable video game consoles. Qriocity is Sony’s on demand service for streaming music, games, e-books and video currently available in eleven nations on Web-connected Bravia TVs and Blu-ray players. To make use and participate in these networks, users must create usernames and passwords and give personally identifiable information (PII) such as home addresses, email addresses and birth dates.
According to Sony, the breach occurred sometime between April 17th and April 19th and the hackers gained access to usernames, passwords, online IDs, customer addresses, email addresses, birth dates and possibly profile data, which includes purchase history, billing addresses and security questions. To date, Sony claims that there is “no evidence” that credit card information was compromised; however, the company has been advising customers to monitor their credit cards for erroneous charges and conduct credit reports to ensure their financial information wasn’t exposed.
Sony just released a lengthy Q&A on the events of the data breach. The company admitted that credit card information was encrypted, but PII was not. This follows the recent trend of hackers going after PII, like with the Epsilon, Walgreens and McDonalds breaches, using that information to mount complicated spear phishing schemes.
While there have been reports of consumers suffering from ‘breach fatigue,’ it’s clear that companies need to be held more accountable for collecting and storing PII as well as financial information. Class action suits against Sony that accuse the company of failing to adequately protect, encrypt and secure its customer data have been filed in both California and Alabama, and there has also been discussion in Congress to create legislation requiring companies to better protect PII. Investigations into the matter have begun in several states, including in Iowa, Connecticut, Florida and Massachusetts. To make matters worse for customers, recourse could be difficult given Sony’s terms of service that absolves the company of any culpability in the event of data loss. Any type of data breach negatively affects brand image and carries heavy financial costs. Could the Sony breach have definitively been prevented? Yes, by compliance. Most organizations (89%) suffering payment card breaches had not been validated compliant with PCI DSS at the time of the breach. At Sony, it’s likely credit card data was encrypted in some way, but potentially not in a PCI compliant way. At this point, it’s abundantly clear that companies need to learn to protect PII more carefully with technologies such as encryption and tokenization. In particular, new breakthroughs in tokenization are making it more cost effective and feasible to protect PII and credit card data. Hopefully companies won’t need another breach to convince them into properly securing all customer data within their possession.
“To make matters worse for customers, recourse could be difficult given Sony’s terms of service that absolves the company of any culpability in the event of data loss.”