Sony’s PS3 Network Hack: How it Could Affect You
Written by Faith Anderson on April 29, 2011
How Sony’s PlayStation Network Was Infiltrated
According to Alan Paller, the research director of the SANS Institute, the PlayStation breach might be the largest example of identity theft recorded. Although there have been instances in the past which involved the theft of a greater number of credit cards, these typically included only names and credit card numbers. The Sony intrusion however, exposes a vast collection of each user’s personal information to the hacker.
The PlayStation Network makes online play between PlayStation 3 consoles possible and boasts an impressive 77 million users. Although accounts can be started on the PlayStation network free of charge, users must provide credit card information before being able to purchase games. In order for personal information to have been stolen from the PlayStation Network, it would have to have been stored by Sony in unencrypted form, which is a critical security error no company should make.
The security breach involved both the PlayStation Network which serves PS3 consoles, and PlayStation portables, which provides consumers with a music-streaming service called Qriocity. Sony discovered the intrusion on April 19 and immediately shut down the network services. Experts were then brought in to determine how the hack was carried out and the extent to which PlayStation 3 consumers may be affected. Unfortunately, Sony didn’t notify consumers of the security breach until seven days later.
PlayStation Network Hackers and Inadequate Sony Security
Earlier this year, famed hardware hacker George Hotz claimed to have hacked Sony’s PlayStation 3, which would allow users to run pirated games or use homemade software. Hotz informed consumers that, after continuing to work on the hack, he would make the details available to the public in order to make it easier for consumers to decipher and hack security features on the system.
An activist group called Anonymous has criticized Sony in the past for threatening legal action against any hackers who exploited the encryption which was cracked by Hotz. According to resources, this encryption crack would have made software piracy on the PlayStation 3 easier, but it is unclear if it could have facilitated this network attack. Both Hotz and Anonymous however, have denied any involvement in the security breach that brought down the PlayStation Network.
Paller has suggested that this security breach was caused by an oversight on Sony’s part when the PlayStation 3 was launched five years ago. According to information provided by other potential hackers, the PlayStation Network encryption may be faulty, making it relatively easy for people to break into the network and collect user data. In fact, online resources have implied that Sony collects an unnecessary amount of personal consumer information, making PlayStation Network users especially vulnerable to malicious hackers. Online resources have faulted Sony executives for the security breach, claiming the company alienated the hacker community, scoffed at the idea of hackers penetrating Sony security, and spent their time hiring lawyers to sue hackers rather than hiring proficient security experts.
Sony’s Delayed Warning to PlayStation Network Users
The most alarming factor of this incident was the seven day discrepancy between the date the network was actually hacked and the date that Sony revealed to consumers that their personal data may have been compromised. During these seven days, the PlayStation Network was inaccessible and users were not informed of the security breach, preventing consumers from being proactive and taking action to protect themselves from identity theft. According to Sony’s head of communications, this time lag was critical in allowing experts to conduct a forensic analysis in order to fully understand the nature and scope of the breach. Unfortunately, the extent of the hack is still unconfirmed.
Sony has put together an official update about PlayStation Network service outages which indicates that all PlayStation Network and Qriocity accounts may have been infected by the intrusion. According to this document, the attack on network servers is being taken seriously. The company has advised all PlayStation Network and Qriocity users to monitor credit card account statements and to immediately change the passwords and/or user names of any other services that are identical to those used on the PlayStation and Qriocity networks.
Potential PlayStation Network User Identify Theft
Unfortunately, Sony has failed to provide its users with adequate information to protect themselves from crippling identity theft. In a letter to Sony, Senator Richard Blumenthal called for the company to offer PlayStation Network users free financial data-security and credit-reporting services for the next two years. While Sony has hinted about offering financial compensation to make up for the network being inaccessible while the investigation is conducted, the company has refused to offer consumers any concrete details about the network intrusion and what it may really mean for PlayStation users.
The lack of information provided by Sony about the nature of the security breach is troubling; when a company is infiltrated and the personal data of consumers is exposed, it is essential that consumers are immediately notified about their potential involvement. Had PlayStation Network users received this information immediately after the hack took place, they may have been able to make an educated decision and take early action to protect themselves from serious harm.
PlayStation Network Hack Class Action Lawsuits
Since Sony has taken little initiative in protecting its users against identify theft in the wake of this incident, consumers are taking it upon themselves to hold Sony liable for its lack of action. On April 27, Kristopher Johns of Birmingham, Alabama filed the first class action lawsuit against Sony on behalf of all PlayStation Network users in the District Court for the Northern District of California. Sony faces numerous allegations, including failure to encrypt data and establish adequate security tactics to handle a server intrusion, failure to provide prompt and informative warnings of security breaches, and taking an unreasonable amount of time to bring the PlayStation Network back online. The class action lawsuit also alleges that Sony violated the Payment Card Industry security standard, which prohibits companies from storing credit card information.
This class action lawsuit seeks financial compensation for the loss of data, loss of network accessibility, the cost of credit monitoring, and other costs associated with the PlayStation Network security breach. Other individual or class action lawsuits may be filed against Sony by PlayStation Network consumers for failure to take reasonable care to protect, encrypt and secure the sensitive, personal data of its users, as well as failure to immediately alert consumers of their potential involvement in one of the largest internet security breaches in recorded history.