It is now day 7, one week, since the PSN outage began. At this point, people are now calling this outage more of a disaster since it is definitely apparent that over 70 million accounts have been compromised – this includes credit card information.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
Sony is currently advising people that when the network is brought back up, users should immediately change their passwords. One source is suggesting that the credit card information might not have been encrypted, contrary to what conventional wisdom might suggest.
CNET notes that the case is already receiving political attention:
Sen. Richard Blumenthal, a Connecticut Democrat, wrote a letter to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft.
“When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised… I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party,” Blumenthal wrote in the letter. “Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised.”
It’s a bit difficult to really understand the scope of such a large data breach. Luckily, DatalossDB.org can put such a loss of data in to perspective. According to the database, this is the fifth largest data breach of all time. The only data breaches that top that are National Archives and Records Administration case of 2009 (76 million), the TRW, Sears Roebuck case of 1984 (90 million), the TJX Companies Inc. case 0f 2007 (94 million) and the grand daddy of them all, the Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank case of 2009 (130 million).
As we noted yesterday, some are pointing to a custom mod known as ReBug that might have been the culprit. This clearly takes a lot of heat off of Anonymous who received a lot of heat from the incident – very likely wrongfully at this stage.
As of this writing, the PSN network is still down. It’s very likely that this is not only another black eye for Sony, but this could also very likely spark litigation if Sony didn’t do enough to protect users data.
So, with such a data breach going on, what is the recommended course of action at this point? If I were a PSN network user and had my personal data on the network, I would immediately get in touch with the bank that issued the card that is tied with the PSN network. If it’s a credit card, what would likely happen is that the bank will cancel that credit card and issue a new one. Potential identity thieves can’t use credit card information from a credit card that has been cancelled. While it is a more extreme measure to the other recommended course of action – to simply monitor the account for suspicious behaviour – it nevertheless is a safer guarantee that your information cannot be stolen. The trade off in that is cancelling the credit card tends to be more of a hassle with the activation of a new card, but the question then becomes, how much hassle are you willing to go through in order to make sure you don’t have your money stolen? Still, it is recommended that you first speak to the branch you got your card from to discuss what happened over first because chances are, the bank that issued your card that is tied to your PSN network account will know what is the best course of action.
Do you think this data breach is concerning?