The news understandably panicked many, as evidenced by the number of Giant Bomb users who've confessed to considering canceling their cards. I've spent the last day speaking with experts to gain a better sense of what happened, what might happen with the data and any legal fallout from this ordeal.
Rumor quickly spread yesterday that banks may have been aware of the leak ahead of time. I contacted Bank of America and Chase, two financial institutions that I actually have accounts at, and both denied this. Pushing back on rumors Sony waited days to inform PSN users their data was accessed, senior director of corporate communications and social media Patrick Seybold better clarified Sony's timeline.
"There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised," said Seybold. "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."
The timeline has been a point of contention for PSN users, though understandably so. The matter is rather complicated, as the requirements for disclosing data breaches like this legally vary from state-to-state.
If you're not interested in waiting, you can actually pull up your own state's laws concerning breach disclosure through the National Conference of State Legistures website. For example, in California:
The laws allow companies to hold back on disclosing the breach, if criminal activity could be involved. Given Sony has been under siege from hacking groups, including Anonymous, there would be reason for Sony to adhere to this. That's not to say Sony did, only that there's the option, at least under California law.
"Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
And while most folks aren't really concerned about what Sony's legal response is, it's certainly a factor. It was hacked, and whatever security issues PSN may or may not have had, that's not something it'll let pass.
"The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation."
The initial legal shot was fired today, with Krisopher Johns of Alabama filing the first class action lawsuit on behalf of PSN users in the US District Court for the North District of California. Part of his argument:
"This action is brought on behalf of plaintiff individually, as representative of the common or general interest and as class representatives for all others similarly situated nationwide against SONY to redress defendant’s breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information."
Sony is not the first company to encounter such a breach, and will not be the last. In 2009, Heartland Payment Systems was hit, resulting the acquisition of a whopping 130 million credit and debit cards. In 2007, retailer TJ Maxx owned up to a data breach that had existed since 2005, thanks to an unsecured wireless network at one of their stores. Tens of millions of credit and debit card numbers were obtained over the course of nearly two years. The hacker, Albert Gonzalez, was eventually sentenced to 20 years.
Whether legal action is taken against Sony won't put the genie back in the bottle, so to speak. Your data, along with the data of 77 million other consumers who put their faith in Sony's system, was improperly accessed last week. It's more helpful (but disconcerting) to wonder what might now happen with the data.
"This is actually a phenomenally economically viable database for the organized crime groups because it is very easy to convert what they have into targeted emails," explained Alan Paller, director of research at SANS Institute, a computer and information security training and research organization. "What they've got in this database is all these people who are already proven to willing invest in games, so they know what their interests are. People can craft emails--thousands of different, very personal kinds of emails."
Sony has warned PSN users to pay close attention to their email, a move Paller backed emphatically, as targeted emails designed to trick consumers is exactly what the data picked up from PSN is used for.
"It's very unlikely that they will not be attacked this way," said Paller. "They [organized crime groups] can make tens of millions of dollars with that kind of highly personalized phishing. It's a tough thing to beat and the more people we can directly tell 'you're gonna get hit this way,' the more we can protect."
The full extent of the damage won't be known for days, weeks or even months. Scattered reports are emerging of credit card theft, but at this point, it's impossible to know if it's related to PSN--it may be coincidental. Then again, it might not. If you learn your information's been compromised, let us know.