PSN Outage: Day 8 – Governments Get Involved Over Data Breach Fears Drew Wilson | April 28, 2011 Day 8 of the PSN outage. It appears that fears have been intensifying over the massive data breach where 70-77 million credit cards were stolen. After a class action lawsuit was launched against Sony, both the US and UK governments have expressed concern over this incident amid the growing concern over the lasting effects of this data breach. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes Major, monumental, and historic, these are some of the words some are currently no doubt using to describe the security meltdown that happened with Sony’s PSN network. Yesterday, it was very apparent that 70 to 77 million identities were compromised. By yesterday afternoon, a class action lawsuit was filed against Sony in a California court. While a lot has happened yesterday, much more has happened today. As we sent a letter expressing his concerns over the data breach. It turns out that the US government isn’t alone in voicing concerns. After Eurogamer contacted the Information Commissioner’s Office (ICO) in the UK, the ICO apparently contacted Sony with their own concerns about the Sony data breach. From play.tm: The watchdog office stated that it “takes data protection breaches extremely seriously. Any business or organization that is processing personal information in the U.K. must ensure they comply with the law, including the need to keep data secure. We have recently been informed of an incident which appears to involve Sony. We are contacting Sony and will be making further inquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office.” If that wasn’t enough, fears over stolen data has only been growing in the last 24 hours. Security expert Graham Cluely has weighed in on the data breach saying that PSN users should cancel their credit cards. From TechRadar: “If you’re a user of Sony’s PlayStation Network, now isn’t the time to sit back on your sofa and do nothing,” said Cluely. “The fraudsters won’t wait around – for them this is a treasure trove ripe for exploiting. You need to act now to minimise the chances that your identity and bank account become casualties following this hack.” “That means, changing your online passwords (especially if you use the same password on other sites), and considering whether it would be prudent to inform your bank that as far as you’re concerned your credit card is now compromised.” After advice like that, it’s very interesting to hear what Visa has said in all of this. Visa recommended keeping a close eye on your credit card activities. From MCVUK: “Concerned cardholders should keep a close eye on their accounts and report any unusual or unexpected activity to their issuing bank,” a statement issued to MCV reads. “Cardholders who are innocent victims of fraud will get their money back, subject to the terms and conditions of their bank.” It’s curious that Visa recommends waiting until money has been stolen first. How long will it take for fraudsters to steal your money? According to unconfirmed reports, money is already vanishing from PSN users credit cards. VGN365 posted this excerpt from a users e-mail: A total of $300 was taken from my debit card on Saturday. However, my bank called me to notify me of a suspicious transaction and they confirmed it was indeed a fraudulent withdrawal. I’ve had to cancel my card and order a new one which the bank will transfer my previous account’s money into. The thing isI worry that many users who linked their bank accounts with their PSN account are in serious danger; I hope they all call their banks to immediately take action and prevent any fraudulent withdrawals. Another user also passed this along to VGN365: I had $200 taken out my debit card as well. This occurred in Florida and I live in MN. Luckily my bank’s fraud dept caught it right away and I have since cancelled my card. This just sucks. In all of this, GeoHot has even weighed in on this fiasco. From Geohot’s blog: o start, I sure am glad I don’t have a PSN account about now. And, as a onetime victim of identity theft, I feel for everyone who’s data has been stolen. I’m not going to make cracks at Sony for flipping a shit when /their/ data is compromised, and not even having the decency to apologize when it’s your data that’s misappropriated. And to anyone who thinks I was involved in any way with this, I’m not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony. One of the things I was contemplating back in early January was a PSN alternative, a place for jailbroken consoles to download homebrew and game without messing up anyone else’s experience. Unfortunately events led me off of that path, but gamers, if I had succeeded you would have a place to game online with your PS3 right now. I’m one of the good guys. I used to play games online on PC, I hated cheaters then and I hate them now. Also, let’s not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea. In the midst of all of this happening, Sony has been in full damage control at this point. One of the concerns was the speculation that personal data was not encrypted. Sony has now dismissed the allegations. From GameSpy: “All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.” Sony goes on to confirm that it still has not discovered any evidence to suggest credit card data was stolen. However, the console maker states that “out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.” Sony has also defended the slow security notifications. Slashgear has obtained the following comment from Sony: “There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion 19th April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening.” Nick Caplin, Head of Communications, SCEE While it may be an answer, Slashgear also notes the following: Users themselves, unsurprisingly, aren’t particularly impressed with Caplin’s reasoning. They suggest that Sony was negligent in not flagging up even a potential suspicion of a data breach from the start, which would at least have given them a chance to change their passwords, cancel credit cards and take other steps to minimize the impact. Not exactly a ringing endorsement to say the least. Another concern is how long it’s taking to restore the network. After the blunder of saying a “day or two” several days ago, Sony now says that services will b restored within a week. The next question is, will Sony players return to the network after this massive data breach? Only time will tell at this stage. Do you think Sony’s handling of the situation is adequate? Drew Wilson on Twitter: @icecube85 and Google+.