The big news today (and it is big — approximately 77 million affected across the world) is Sony’s admission that their PlayStation Network (PSN) was hacked. According to Sony’s FAQ on the issue, personal details were leaked. Another example showing that the use of data encryption programs are required when dealing with sensitive data in the cloud.
Update (28 APR 2011): Sony has released “Q&A#1” where it states that credit cards were encrypted. I’m glad I didn’t jump to conclusions. Like I said, companies sometimes don’t reveal they’ve used encryption, and I can’t fathom why.
38 Countries, One Continent, and One Sub-Continent Affected
Sony admitted in its FAQ that there was an “unauthorized intrusion” into PSN between April 17 and April 19. Once they detected it, the rest became history in the annals of consumer relations: PSN was shut down in its entirety, causing a cacophony of complaints across all spectrums of social media. For 5 days.
The FAQ is the first official explanation of what’s going on. All accounts in PSN and Qriocity have been compromised, meaning that 77 million people are affected.
Based on the customer support contact details they’ve provided, it translates to people in 38 countries, Africa, and the Middle East.
Personal Information Leaked
According to the FAQ:
Q.6 Does that mean all users’ information was compromised? Tell us more in details of what personal information leaked.
In terms of possibility, yes. We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code)…. have provided your credit card data through PlayStation Network or Qriocity, it is possible that your credit card number (excluding security code) and expiration date may also have been obtained.[my emphases]
You notice the “in terms of possibility, yes”? It almost appears to me that Sony still doesn’t quite know what was taken. It seems they’re merely saying “hacker(s) intruded into our network, and this is what was vulnerable, so chances are it was taken.”
Problems All Around
There are a number of things that are seriously wrong about the above admission. Andy Yen over at lalawag.com picked up on a number of them:
Not only do they have your contact information and birthdate, but they have your friggin’ password and password security answers! Does this mean that Sony stupidly stored your passwords in plaintext somewhere? How dumb/cheap/lazy must your company be to store 70 million passwords in plaintext?
Me? I’m not going to assume that Sony stored passwords in non-hashed plaintext just because they:
never mentioned it; and,
noted that passwords should be changed immediately (my own observation).
There are plenty of companies that don’t mention whether security was present, although I can’t fathom why (I’ve even come across companies that don’t admit to having used encryption software to protect data when they have, meaning a breach is potentially harmless).
Also, even if the passwords are hashed (i.e., adulterated not to show the plaintext version), the fact that hashes are one-way functions means that commonly used passwords can be figured out quite easily. A recent example is Gawker’ data breach. No doubt that many among the 77 million on PSN have used easy-to-crack passwords, so Sony warning everyone to change passwords is good advice in general.
Names, addresses, billing addresses, and credit card information could be used in some kind of off-line phishing scheme. Most people don’t know that the first 6 digits of credit cards are bank identifiers, so a criminal could create a letter coming from a Sony customer’s correct bank asking for details to be updated due to Sony’s breach. What could be more natural?
Speaking of banks and credit cards, I love this particular entry in Sony’s FAQ:
Q.8 Have you received reports or claims that their PSN ID information/ credit card had been used improperly?
Not at this point in time.
At first glance, it’s rather funny: Seeing how this FAQ is essentially the first time that Sony has admitted to there being an intrusion into their networks, it does not surprise me that nobody has reported to Sony that credit cards have been misused. How would gamers know?
On the other hand, you’ve got to keep in mind that credit card companies do keep an eye for unusual activities, and when they receive a certain number of complaints of credit card misuse, they’re able to find a common point of origin based on charge history.
Had they found that thousands of card holders showed PSN as a common charge, no doubt that Sony would have been alerted.
Also of concern are the compromised password security answers. For example, if one of those answers was for “mother’s maiden name,” it could be used for changing account details at banks and credit cards.
Before ending this post, I should remark that if 77 million credit cards were affected, the breach will have the dubious honor of surpassing TJX’s breach from 4 years ago, where 46 million credit cards were affected. However, we have to keep in mind that it’s 77 million accounts. People who only use the free portion of PSN won’t have to deal with credit card security issues.
Encryption can’t be used everywhere; however, incidents like the above show why it should be considered, especially when you’re dealing with gargantuan numbers.
Related Articles and Sites: