Astonishing admission from Sony
You see things like security breaches all the time these days; from Play.com thinking it might have had some email addresses leaked to Cotton traders losing credit card details during a hacking attempt. But never before have we seen something on the scale and exposure of the Sony hack where up to 77 million users could be affected.
The admission from Sony this week sheds some shards of light onto what is likely to be a very embarrassing and extremely expensive lack of standards from Sony.
A company that is known for quality writes:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained..
So to pick apart some of that statement, they believe someone has definitely gained:
- your name
- address
- email address
- birthdate
- login AND password
- payment history
- credit card details
The only thing seemingly not obtained was the security code for your credit card. But all the rest is enough for someone to easily impersonate you in a huge shopping spree or, worse, try to login to some other sites where you use the same usernames and passwords.
What amazes me most, from an IT security point of view, is the admission of loss of passwords and credit card details. These things are routinely encrypted in databases to give you the sort of strength-in-depth that offers some protection to these kind of attacks. Assuming that these were not encrypted then that is the sort of thing that makes people cry negligence and, when huge losses are concerned, that could well bring court cases. There are other alternatives such as they were stored encrypted and the hacker used Sony’s own software to decrypt those details and download them but that is a huge huge security flaw with similar questions over security.
Sony are a big, grown up company with an important brand to protect so for them to come out and say this means something has seriously gone wrong. For them to keep the network offline for this long means that is so core to their systems they probably re-writing some of the core systems from scratch. This will present them with a real problem when they eventually tell all of us what really went wrong and what they did to fix it. It will either show a huge problem internally which we will wonder why they didn’t take security more seriously or not enough information and thus not really generate any confidence in their once hacked systems.
Dark times for Sony and for anyone who used their Playstation Network (like we did) I would advise you to immediately cancel the credit card that was tied to that account and get a new one from your provider. Furthermore if you used that password somewhere else (like Amazon for example) I would advise you to change that password as well.
The “abundance of caution” in that Sony statement was perhaps what should have been displayed by Sony when they wrote the security systems in the first place and saved everyone a lot of hassle.
