Courts, Congress enter fray on PlayStation data breach

Sony admitted this week that, between April 17 and April 19, hackers had obtained PlayStation Network user names, addresses, email address, birth dates, passwords and IDs, as well as disrupting the PlayStation Network itself. The company stressed that it had “no evidence” that credit card information was taken, although “we cannot rule out the possibility.”

One of the PlayStation users, Kristopher Johns of Birmingham, Ala., filed suit in US District Court for the Northern District of California charging Sony with not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users", according to a Cnet report.

The suit claims that Sony’s delay in notifying users deprived them of the opportunity “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.”

Sen. Richard Blumenthal (D-Conn.), who weighed in on the Epsilon data breach, said that Sony should pay for credit report services for PlayStation users and insurance to protect them against any financial consequences of the breach.

In a letter to Jack Tretton, Sony Computer Entertainment America president and chief executive, Blumenthal criticized Sony for the delay in notification to users. “I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach”, Blumenthal wrote.

Sony explained that the delay in notification was the result of waiting for outside experts to conduct forensic analysis and for Sony experts to understand the scope of the breach.

Some analysts are puzzled by the time lag in informing users. “One of the most alarming aspects of this latest major breach is the time it has taken Sony to reveal the extent of the damage”, said Ross Brewer, vice president and managing director of international markets at security monitoring firm LogRhythm. “Compromised user accounts were discovered as early as 17 April and the [PlayStation Network] was closed down last Wednesday, yet it has taken seven days to warn users that they are now at increased risk of email, telephone, and postal mail scams, as well as credit card fraud.”

Security experts are offering advice to PlayStation users to protect themselves. "You need to act now to minimize the chances that your identity and bank account become casualties following this hack," said Graham Cluley, senior technology consultant at security firm Sophos. "That means, changing your online passwords (especially if you use the same password on other sites), and considering whether it would be prudent to inform your bank that as far as you're concerned your credit card is now compromised."

Cluley said that even though Sony found no evidence that credit card information was stolen, this should not lead to complacency on the part of users. "The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is very disturbing…you should cancel that card immediately. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.”

David Emm, senior security researcher at Kaspersky Lab, said that PlayStation users should take the following steps: “monitor your bank accounts carefully for signs that your banking details may have been compromised – and contact your bank about anything that looks suspicious; change your [PlayStation] password – especially if you have used the same password for any other online account; watch out for e-mail that claims to come from Sony and asks for personal information.”

What’s Hot on Infosecurity Magazine?