Sony: Personal info compromised on Playstation Network

[DKT27]

Sony acknowledged today that the personal information of its PlayStation Network customers has been compromised.

The company posted an update on its blog today warning its more than 70 million customers that their personal information, including customer names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles, was obtained illegally by an "unauthorized person." The data was accessed between April 17 and April 19, according to Sony.

With respect to credit card information, which many users have given to Sony in order to purchase or rent content via the service, Sony is less sure of what transpired.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote today. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

And as a result, Sony has temporarily turned off PlayStation Network and Qriocity, its subscription music service, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security. Sony would not say whether the company had contacted the FBI or any law enforcement about the breach.

It took Sony five days to level with its customers about the consequences of what knocked its service offline. Midway through last week users noticed error messages when trying to sign into the service. While the company initially acknowledged the service was inaccessible on Friday, it offered no explanation of why and said PSN would be back up and running in a "day or two."

Yesterday Sony acknowledged an "external intrusion" on its network and said it was in the process of rebuilding PSN. It never hinted that personal data was compromised, and it's unclear what took them so long to do so.

The company says it is currently in the process of e-mailing all of its customers about the intrusion.

At potentially 70 million records exposed, the Sony breach could be one of the largest. The DataLossDB.org site lists four larger breaches with the Heartland breach in 2009, which exposed about 130 million records, at the top, followed by the TJ Maxx breach at 94 million records in 2007.

The news comes three weeks after dozens of companies notified their customers that names and e-mail addresses were exposed in a breach at e-mail marketing service provider Epsilon. The companies affected included a who's who of retail brands, including Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon. It's unclear how many individuals were affected by that breach.

What should you do?

Finding out whether credit card account information had been exposed is key to assessing the risks for Sony customers. With that information fraudsters can take over bank and credit card accounts and make purchases.

Without that financial information individuals run the risk of having their Sony PSN accounts hijacked and being targeted with phishing attacks. For instance, customers should be wary of e-mails that purport to come from Sony and which ask for credit card or other sensitive information, said Beth Givens, founder and director of the Privacy Rights Clearinghouse.

People whose information was exposed in the breach should change their Sony account passwords and password security questions when the network is back online, and ignore e-mails asking for sensitive information from anybody, Givens added. In addition, she suggested people affected by the breach monitor for fraudulent activity on their credit card that Sony had on file, just in case the accounts were exposed. (More details on identity fraud and what consumers can do to protect themselves can be found here.)

"One of the things I'm critical of Sony about is (them) not being more forthcoming with details of the breach," Givens said. "It leaves the affected individuals in the dark, with more questions than answers."

Failing to notify customers about the breach for seven days is not uncommon, Givens said, adding that the situation depends on what they knew when. "If they were absolutely certain about the details of the breach and the extent of it six or seven days ago, in my opinion, they should have alerted their customers."

Under California law, the type of information that triggers the notice requirement is an individual's name plus one or more of the following: Social Security number, driver's license or California Identification Card number, financial account numbers, medical information or health insurance information.

So, if credit card numbers were compromised, then Sony would need to notify the affected persons under California and other state laws, according to Givens. But if not, technically it would not be required to provide notice, she said.

"However, 'best practices' these days is to notify no matter which data elements have been affected," she added. "They would suffer a big PR black eye if they were not to disclose and it were discovered and made public some other way."

Users react

In the meantime, Sony says it "has a clear path" to bring PSN and Qriocity back online "within a week." But how many customers will be ready to hand over new credit card information and trust Sony with their passwords and addresses again?

As it is, because the network is down, PSN users can't access the PSN Web site or the service via the PS3 to change their passwords or delete their personal info and credit card.

CNET reader Konfuzed expressed dismay over the timing. "Why in the world would Sony wait six days to tell me I should be concerned about my PII? Their customer service leaves a lot to be desired. I have stopped using brands over much less...Not saying I'm giving up my PS3 though."

"Really? Almost a week before telling me that my CC# may have been compromised???? SONY this is unacceptable!," wrote a reader who goes by elgrislobo.

And the ire from customers angry that it took the company this long to explain the extent of the damage continues to pour out on blog comments.

On Sony's official PSN blog, user Korbei83 wrote, "If you have compromised my credit information, you will never receive it again. The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you. Excuse me while I go change my password...oh wait. I can't."

"It was the almost complete lack of communication from Sony that is so disappointing to me. As a tech guy I am completely stunned at Sony's slow and horrible response to this issue," wrote ricksterd64. "Whatever disaster plan you had you can just go ahead and stamp it with a giant red 'F' and go back to the drawing board and come up with a better disaster plan for the future. One which keeps the users and supporters of their systems including developers a little better notified as to what is going on."

View: Original Article

[DKT27]

PlayStation Network users may have credit card details stolen due to breach

For a week now, Neowin has been actively reporting on Sony's PlayStation Network as many gamers find that they're unable to connect. As reported by Sony themselves, the reason for the downtime was because of an 'external intrusion' which caused Sony to take PSN offline and start to rebuild the system.

Although gamers everywhere were sad to see they couldn't access the service, today Sony reported what has to be the biggest issue with the external intrusion. In a blog post on their website Sony claim that between April 17 and April 19, the account information of some PSN and Qriocity service users was compromised due to the intrusion.

As well as temporarily shutting down PSN and Qriocity services they have contacted a security firm so that they can conduct a full investigation into the matter. As previously reported by Neowin they also added that they have begun to rebuild their system in an attempt to enhance their security so that they don't encounter a problem alike anywhere in the near future.

Unfortunately for its users, practically all of the information they have personally entered is at risk including name, address, country, email, birthdate, PSN/Qriocity login and password, PSN online ID and even a chance that your purchase history, billing address, password security answers and credit card number - along with expiration date may have been taken too.

Sony urges its users to be aware of any email, telephone and postal mail scams that may ask you for sensitive information as they will likely be a scam. Sony will not contact you in anyway in relation to the incident. Once PSN and Qriocity services are back online it would be a smart idea to change your account password in addition to any other websites that may have the same login/password.

The company stated that its users can expect to see some of the services back online within a week.

View: Original Article

[eqagunn]

Sony warns of identity theft resulting from PSN attacks

Sony Computer Entertainment's latest news update for the ongoing PlayStation Network and Qriocity outage addresses the main and very serious issue of the unauthorized intrusion which forced the console giant to shut their online services down in the first place.

PSN users have been informed of possible compromises of personal information tied to their user accounts as a result of "malicious actions", confirming that SCEA's battle thus far has been one against hackers. SCEA cautions that an outside party may have obtained PSN login (account username and password) and contact details (mailing address), as well as PSN account profile data like purchase history.

SCEA has tapped into the services of an "outside, recognized security firm" to conduct a thorough investigation as to how this mess managed to occur.

While SCEA cannot confirm if actual credit card data tied to PSN accounts were similarly compromised, the company is advising PSN users that it wouldn't hurt to keep an eye out for some very suspicious correspondence in the near future:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

PSN users will also want to keep a keen eye on their credit report statements for equally suspicous financial activity. SCEA helpfully reminds its customers in the US that they can contact their friendly neighborhood credit bureau for their free reports, and they may even place fraud alerts on their credit report files if they want to be extra safe at the cost of some extra verification on your part whenever you need to do something related to your credit score.

On a brighter note, SCEA believes it is on a "clear path" to recovery following their big decision to "rebuild" the PSN and Qriosity services, and expects to have these restored "within a week". The first thing for users to do once they can get back on to the PSN then is to change their passwords.

Update: Reuters reports that the information from possibly 77 million PSN accounts (note that this does not necessarily equate to 77 million actual people) were compromised as a result of this security breach, which the SANS Institute believes could be one of the largest cases of online identity theft yet.

View: Original Article