In one of the largest data security breaches publicly known, Sony has announced a hacker intrusion of its PlayStation Network. This stolen data affects 77 million Sony PlayStation Network users. As a recent PC World article pointed out, “77 million people is more than the population of France and Belgium combined, or a quarter of the population of the United States.”
While we are investigating the cause of the Network outage, we wanted to alert you that it may be a full day or two before we’re able to get the service completely back up and running. Thank you very much for your patience while we work to resolve this matter. Please stay tuned to this space for more details, and we’ll update you again as soon as we can.
We sincerely regret that PlayStation Network and Qriocity services have been suspended, and we are working around the clock to bring them both back online. Our efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure. Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.
We thank you for your patience to date and ask for a little more while we move towards completion of this project. We will continue to give you updates as they become available.
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1. Temporarily turned off PlayStation Network and Qriocity services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information. We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Not all of the PlayStation Network user accounts are connected to credit cards. However, anecdotal incidents are already surfacing of PlayStation users receiving reports of unauthorized use on their credit cards. Many PlayStation users are upset that it took Sony almost one week to tell them of the possible compromise of credit card information.
It’s not only the sheer number of users that separates this hacker breach from others. It’s the breadth of the information taken on each user. Sony’s own blog post lists the information as name and full mailing address, billing address, email, birthdate, Playstation password and login, answers to security questions, purchase history and possibly credit card information.
How many of us use the same (or similar) login and passwords on multiple accounts? The compromised PlayStation data provides the username and PW that can be tried on other accounts. Even if the passwords aren’t exactly the same, with the accompanying customer profile info, it might be possible to derive the correct password.
How many of us have the same answers to security questions on multiple accounts? The compromised PlayStation data provides the security questions and the answers. If your login is your email, or otherwise known, it's possible for a hacker to correctly answer a security question to reset your password and hijack your e-mail or some other account.
If a hacker is looking for a mother’s maiden name, or the name of your pet, or the name of your high school to answer a security question, with the compromised PlayStation info from the customer profile, this hacker could find a person’s Facebook account and possibly get the information from there.
How many of us have their birthdate as one of the security questions for their health insurance or medical records information? The compromised PlayStation data contains that, so this account too, can be reset and hijacked.
With mailing, billing and email address, plus purchase history provided by the compromised PlayStation data, it’s possible to target certain individuals with bogus requests for additional information pretending to be a credit card company, or Sony, or even someone familiar, by finding the user's Facebook or Twitter account.
If this security breach were only a matter of stolen credit card numbers, it would be bad enough. Many reports are focusing on this part of the story, and it's a huge concern. But what is not fully understood yet is that the amount of information contained in each breached Sony account, combined with some common habits on the part of computer users, could possibly lead to unauthorized entry into all kinds of computer passworded internet accounts beyond just credit cards. Remember, 77 MILLION accounts.
Imagine if you were to match the Sony breach data with publicly available social network information. You would be able to surmise what kind of internet accounts an individual were likely to have (because of job, hobbies, what the users and friends talk about), and target those possible websites with your user data to hijack certain accounts, like computer access at work, Amazon and eBay. Unnerving, no?
UPDATE May 10:
Sony has now stated that personal data from 24.6 million Sony user accounts were were taken during the hacker intrusion last month. This is separate from the 77 million Playstation user accounts that were compromised. This means that the total number of user accounts taken is now over 100 million.
Sony also announced that it was aiming to restore its PlayStation Network by the end of May. This would be about six weeks from the discovery of the initial intrusion and shutdown of the network.
The views and information contained are not provided or endorsed by Oceanic Time Warner Cable or any its affiliates. The content provided is for general information and entertainment purposes only. Please seek professional advice before acting on any information contained within this web site. Any unauthorized reproduction is prohibited.