PSN Outage: Day 9 – Sony Threatened With Fines As World Gov’t Involvement Increases

Sony, Visa and a few others have been trying to reassure PSN (PlayStation Network) that users credit card information is still safe in spite of unverified reports that money is already being stolen from customers. As we enter day 9, we are learning that not only are more governments getting involved, some are even taking the extra step of threatening the embattled company with fines over the data breach.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

This outage has become quite a saga for Sony. It started with a temporary outage that grew in to a massive data loss and now, it’s become an international incident. With a story so large, it is becoming difficult to keep track of every development that’s going on in this story. Yesterday, both the UK and US government became involved in the data breach. Meanwhile, on the same day, a supreme court ruling that suggests that it is entirely possible for companies to shield themselves from class action lawsuits. Whether or not that could hamper the current class action lawsuit has been a subject of debate. Geohot, a hacker who discovered the PS3 root keys, weighed in on this himself saying that Sony should have hired more security experts instead of lawyers.

So, what’s the latest developments on the most talked about story here on ZeroPaid? We begin with news from a Chinese outlet, China Post which is reporting that Taipei City has send a letter to Sony demanding answers to this fiasco. The letter says that Sony must fix the problem within ten days or face fines between NT$30,000 and NT$300,000. From the China Post:

Taipei City Government Law and Regulation Commission Chairman Yeh Ching-Yuan said Sony’s leak severely compromises PSN subscriber identity which should be considered a clear breach of consumer property rights.

According to the Consumer Protection Law, business operators are responsible for “facilitating the safety of the consumer life of nationals, and improving the quality of the consumer life of nationals.”

Yeh said Sony Corp. must provide the number of subscribers in the Taiwan area and explain why, although the cyber attack occurred between April 17 and 19, that it did not turn off the hacked services until April 20 and did not offer an official explanation until April 26. Furthermore, Sony Corp. must detail the risks and possible impact inherent in the leaked user information and offer methods of repair as well as compensation.

That government in China isn’t the only government now getting involved. Canada’s privacy commissioner is also investigating the incident. There’s only so much the Privacy Commissioner of Canada can do (fining a company is not something the commissioner can do). While the commissioner isn’t happy that Sony did not notify them of the breach, Sony isn’t technically required to do so. From Edmonton Journal:

“We are currently looking into this matter and are seeking information from Sony,” Valerie Lawton said in an email. “We will determine next steps once we have a full understanding of the incident.”

“It is also possible that your profile data, including purchase history and billing address, and your PlayStation Network/Qriocity password security answers may have been obtained,” Sony told users on its blog Tuesday.

Australia’s privacy commissioner is also getting involved. The concern for Australia’s privacy commissioner was whether or not Sony notified customers of the data breach fast enough. From Smart Company:

“I am very concerned by news reports that hackers have stolen data from users of the Sony PlayStation Network,” privacy commissioner Timothy Pilgrim said in a statement.

“Our office is contacting Sony seeking further information about this matter and we will be opening our own investigation.”

While the PlayStation Network — which services over 70 million customers and over 700,000 in Australia — was brought down last week, it was only in the past few days that Sony confirmed a breach of the network had occurred.

Meanwhile, US government involvement has increased as the Department of Homeland Security is now being called in to help investigate the data breach. From Gama Sutra:

“The Department of Homeland Security is aware of the recent cyber intrusion to Sony’s PlayStation Network and Qriocity music service,” DHS spokesman Chris Ortman told government technology site NextGov. “DHS’ U.S. Computer Emergency Readiness Team [CERT] is working with law enforcement, international partners and Sony to assess the situation.”

So, overall, there are 5 countries involved now, the US, UK, Canada, Australia and a city government in China. If anything else, this further shows just how big this data breach really is.

Sony has been in damage control mode yesterday saying that users data is safe because they did encrypt the information after all. This was amidst a handful of unconfirmed reports that users money was already disappearing from their accounts. While Sony and even Visa might be saying that they have no evidence to suggest that users credit card information hasn’t been stolen, more reports are surfacing that users credit cards have been stolen.

One man in Australia reported to ABC that a total of $2,000 AU in unauthorized charges had been made on his credit card. From ABC:

Sony has shut down the network while it tries to figure out how hackers were able to steal the details of so many customers.

Adelaide man Rory Spreckley checked his banking details on Wednesday and got a shock.

“I logged into my bank account just to check everything was OK and I found out there was some just over $2,000 in charges which I didn’t personally accrue,” he said.

The scary thing is, he isn’t alone in these reports. Another report surfaced on Twitter saying that $1,500 was charged to another persons credit card. While it’s unconfirmed that that incident was directly related to the Sony data breach, it certainly has the Twitter user on edge.

In fact, one unconfirmed report suggests that these stolen credit cards are being sold in underground market places in bulk. One user is apparently saying that they obtained 2.2 million cards from the breach. From The Guardian:

Kevin Stevens, a security analyst with Trend Micro, said in a tweet that “the hackers that hacked PSN are selling off the DB [database]. They reportedly have 2.2m credit cards with CVVs” – the latter being the three-figure number required for “card not present” transactions.

But Stevens added that he couldn’t be sure the claim was true. The hackers were also claiming to have offered to sell the database back to Sony, but that the company declined it. Sony spokesman Patrick Seybold said that as far as he knew there was no truth in that claim.

Speculation is growing that the hackers who carried out the attack could be European, based on the names being used in forums, though no further details have emerged so far.

One reader of Venturebeat said he had been contacted by Sony and told that his card might have been compromised, and discovered two new charges totalling $400 he hadn’t made.

Meanwhile, one report is saying that Sony is not going to be resetting users accounts. Gamepur quoted James Gallagher, SCEE Blog Manager as saying, “We’re not resetting accounts or anything like that, so when PSN is restored and you log on, everything will be as you left it.”

So, overall, it sounds like Sony is trying to project the image that no credit card information was stolen. As increasingly credible reports surface that users credit cards have, in fact, been stolen, that might become an increasingly difficult sell to the public.

Do you think that credit cards have been stolen at this point or do you think that reports of stolen money not true?

Drew Wilson on Twitter: @icecube85 and Google+.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: