Yesterday, Sony updated the information on the data breach announced last week, and which has resulted in the shut-down of its Playstation Network and Qriocity service for a week. The news is not good.
"We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network..."
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
The total number of compromised customer accounts may be as high as 77 million, according to some reports. Sony has called in the US FBI to investigate.
The Australian says there are 715,000 Australian Playstation network customers, and according to this report at the Sydney Morning Herald, the head of the New South Wales fraud squad, Detective Superintendent Col Dyson, is warning
"... Australian PlayStation users that they may have to cancel their credit cards after hackers stole enough information to even take out loans on the victims' behalf."
It will be interesting to see whether Detective Superintendent Dyson's advice is repeated in other countries as well.
I have no doubts that the Australian banks are "just loving" his warning, though. The cost of canceling credit cards and then reissuing them is not insignificant.
Australian Privacy Commissioner Timothy Pilgrim is also quoted in the SMH article as saying that he is "very concerned" and has launched an investigation into the matter. The investigation will likely center on why Sony has taken so long to notify its customers of the breach itself, and of the possibility that personal information was taken.
These two same concerns have been also raised by US Senator Richard Blumenthal from Connecticut, who sent a very public letter to Sony yesterday stating that he was "...troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections."
Senator Blumenthal wants Sony to explain what happened, why, and what it is going to do to protect its (Connecticut) customers now and into the future.
I fully expect the US Congress to announce hearings into this and other recent data breaches like that at Epsilon any day now. As the old politicians' saying goes, never let a good crisis go to waste, especially when it means a good photo opportunity. This one is shaping up to be a good crisis to exploit, especially since Sony is making itself such an easy target to criticize.
The European Privacy Commissioner, Viviane Reding, has been uncharacteristically quiet on the matter, but I expect that she will be speaking out about the issue soon as well.
This Reuters news story says that Sony makes about $500 million a year from the Playstation network, so the past week that the network has been shut down has cost the company about $9 - $10 million, not counting lost goodwill. That amount is likely only a down payment, however. The same Reuters story reports Sony's stock has dropped 2.0 percent in Tokyo today even as the broader market is up 1.4 percent on the news of the extent of the breach.
The breach news also is overshadowing Sony's announcement of its first tablet computers. Selling points are the ability to play Playstation games on them as well as connect to Qriocity, and may have been a reason it took so long for Sony to sell a tablet computer in the first place. Those may be less compelling reasons to buy them now.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.