PSN Hacked: What Sony's Security Breach Means for You (And What Comes Next)

  • 167 results
  • 1
  • 2
  • 3
  • 4
Posted by patrickklepek (4630 posts) -
Sony confirmed many of our worst fears yesterday afternoon, revealing an outside party had accessed PlayStation Network and gained access to vital personal information abouts its 77 million registered accounts. The company has not been able to verify whether credit card information was available to the currently unknown hacker or hacker group, but it (still) cannot not rule out the possibility of it, either. 

The news understandably panicked many, as evidenced by the number of Giant Bomb users who've confessed to considering canceling their cards. I've spent the last day speaking with experts to gain a better sense of what happened, what might happen with the data and any legal fallout from this ordeal. 

Rumor quickly spread yesterday that banks may have been aware of the leak ahead of time. I contacted Bank of America and Chase, two financial institutions that I actually have accounts at, and both denied this. Pushing back on rumors Sony waited days to inform PSN users their data was accessed, senior director of corporate communications and social media Patrick Seybold better clarified Sony's timeline.

"There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised," said Seybold. "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."   

The PlayStation Store home page. You can't access this bad boy right now.
The timeline has been a point of contention for PSN users, though understandably so. The matter is rather complicated, as the requirements for disclosing data breaches like this legally vary from state-to-state. 

== TEASER =="There are a number of legal implications, depending on the point-of-view," said Andrew Ehmke, an attorney at Texas-based Haynes and Boone, LLP. "Many states have laws that require notification to individuals if the individuals' information is hacked (and each state's law is slightly different about the how, when, and what of the notification, as well as the effect for failure to notify). Another place that people may look are the terms of use and privacy policy and whether those were complied with by Sony. The true legal implications won't be known until more facts come out about what actually happened."

If you're not interested in waiting, you can actually pull up your own state's laws concerning breach disclosure through the National Conference of State Legistures website. For example, in California:

"Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

PlayStation Network icon
The laws allow companies to hold back on disclosing the breach, if criminal activity could be involved. Given Sony has been under siege from hacking groups, including Anonymous, there would be reason for Sony to adhere to this. That's not to say Sony did, only that there's the option, at least under California law.

"The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation."

And while most folks aren't really concerned about what Sony's legal response is, it's certainly a factor. It was hacked, and whatever security issues PSN may or may not have had, that's not something it'll let pass.

"From Sony's perspective," added Ehmke, "there are laws against attacking computer systems and taking information, and Sony could take action against the people who did the attack under those laws. Sony may also be able to take action for violation of the terms of use."

The initial legal shot was fired today, with Krisopher Johns of Alabama filing the first class action lawsuit on behalf of PSN users in the US District Court for the North District of California. Part of his argument: 

"This action is brought on behalf of plaintiff individually, as representative of the common or general interest and as class representatives for all others similarly situated nationwide against SONY to redress defendant’s breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information."


Sony is not the first company to encounter such a breach, and will not be the last. In 2009, Heartland Payment Systems was hit, resulting the acquisition of a whopping 130 million credit and debit cards. In 2007, retailer TJ Maxx owned up to a data breach that had existed since 2005, thanks to an unsecured wireless network at one of their stores. Tens of millions of credit and debit card numbers were obtained over the course of nearly two years. The hacker, Albert Gonzalez, was eventually sentenced to 20 years.

Whether legal action is taken against Sony won't put the genie back in the bottle, so to speak. Your data, along with the data of 77 million other consumers who put their faith in Sony's system, was improperly accessed last week. It's more helpful (but disconcerting) to wonder what might now happen with the data. 

"This is actually a phenomenally economically viable database for the organized crime groups because it is very easy to convert what they have into targeted emails," explained Alan Paller, director of research at  SANS Institute, a computer and information security training and research organization. "What they've got in this database is all these people who are already proven to willing invest in games, so they know what their interests are.  People can craft emails--thousands of different, very personal kinds of emails."

Sony has warned PSN users to pay close attention to their email, a move Paller backed emphatically, as targeted emails designed to trick consumers is exactly what the data picked up from PSN is used for. 

"It's very unlikely that they will not be attacked this way," said Paller. "They [organized crime groups] can make tens of millions of dollars with that kind of highly personalized phishing. It's a tough thing to beat and the more people we can directly tell 'you're gonna get hit this way,' the more we can protect."

The full extent of the damage won't be known for days, weeks or even months. Scattered reports are emerging of credit card theft, but at this point, it's impossible to know if it's related to PSN--it may be coincidental. Then again, it might not. If you learn your information's been compromised, let us know
Staff
#1 Posted by patrickklepek (4630 posts) -
Sony confirmed many of our worst fears yesterday afternoon, revealing an outside party had accessed PlayStation Network and gained access to vital personal information abouts its 77 million registered accounts. The company has not been able to verify whether credit card information was available to the currently unknown hacker or hacker group, but it (still) cannot not rule out the possibility of it, either. 

The news understandably panicked many, as evidenced by the number of Giant Bomb users who've confessed to considering canceling their cards. I've spent the last day speaking with experts to gain a better sense of what happened, what might happen with the data and any legal fallout from this ordeal. 

Rumor quickly spread yesterday that banks may have been aware of the leak ahead of time. I contacted Bank of America and Chase, two financial institutions that I actually have accounts at, and both denied this. Pushing back on rumors Sony waited days to inform PSN users their data was accessed, senior director of corporate communications and social media Patrick Seybold better clarified Sony's timeline.

"There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised," said Seybold. "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."   

The PlayStation Store home page. You can't access this bad boy right now.
The timeline has been a point of contention for PSN users, though understandably so. The matter is rather complicated, as the requirements for disclosing data breaches like this legally vary from state-to-state. 

== TEASER =="There are a number of legal implications, depending on the point-of-view," said Andrew Ehmke, an attorney at Texas-based Haynes and Boone, LLP. "Many states have laws that require notification to individuals if the individuals' information is hacked (and each state's law is slightly different about the how, when, and what of the notification, as well as the effect for failure to notify). Another place that people may look are the terms of use and privacy policy and whether those were complied with by Sony. The true legal implications won't be known until more facts come out about what actually happened."

If you're not interested in waiting, you can actually pull up your own state's laws concerning breach disclosure through the National Conference of State Legistures website. For example, in California:

"Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

PlayStation Network icon
The laws allow companies to hold back on disclosing the breach, if criminal activity could be involved. Given Sony has been under siege from hacking groups, including Anonymous, there would be reason for Sony to adhere to this. That's not to say Sony did, only that there's the option, at least under California law.

"The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation."

And while most folks aren't really concerned about what Sony's legal response is, it's certainly a factor. It was hacked, and whatever security issues PSN may or may not have had, that's not something it'll let pass.

"From Sony's perspective," added Ehmke, "there are laws against attacking computer systems and taking information, and Sony could take action against the people who did the attack under those laws. Sony may also be able to take action for violation of the terms of use."

The initial legal shot was fired today, with Krisopher Johns of Alabama filing the first class action lawsuit on behalf of PSN users in the US District Court for the North District of California. Part of his argument: 

"This action is brought on behalf of plaintiff individually, as representative of the common or general interest and as class representatives for all others similarly situated nationwide against SONY to redress defendant’s breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information."


Sony is not the first company to encounter such a breach, and will not be the last. In 2009, Heartland Payment Systems was hit, resulting the acquisition of a whopping 130 million credit and debit cards. In 2007, retailer TJ Maxx owned up to a data breach that had existed since 2005, thanks to an unsecured wireless network at one of their stores. Tens of millions of credit and debit card numbers were obtained over the course of nearly two years. The hacker, Albert Gonzalez, was eventually sentenced to 20 years.

Whether legal action is taken against Sony won't put the genie back in the bottle, so to speak. Your data, along with the data of 77 million other consumers who put their faith in Sony's system, was improperly accessed last week. It's more helpful (but disconcerting) to wonder what might now happen with the data. 

"This is actually a phenomenally economically viable database for the organized crime groups because it is very easy to convert what they have into targeted emails," explained Alan Paller, director of research at  SANS Institute, a computer and information security training and research organization. "What they've got in this database is all these people who are already proven to willing invest in games, so they know what their interests are.  People can craft emails--thousands of different, very personal kinds of emails."

Sony has warned PSN users to pay close attention to their email, a move Paller backed emphatically, as targeted emails designed to trick consumers is exactly what the data picked up from PSN is used for. 

"It's very unlikely that they will not be attacked this way," said Paller. "They [organized crime groups] can make tens of millions of dollars with that kind of highly personalized phishing. It's a tough thing to beat and the more people we can directly tell 'you're gonna get hit this way,' the more we can protect."

The full extent of the damage won't be known for days, weeks or even months. Scattered reports are emerging of credit card theft, but at this point, it's impossible to know if it's related to PSN--it may be coincidental. Then again, it might not. If you learn your information's been compromised, let us know
Staff
#2 Posted by Superdude201 (62 posts) -

Gah, hope they don't have my cc details :(

#3 Posted by EquitasInvictus (2030 posts) -

I really hope no one actually becomes a victim of identity theft.

#4 Posted by MechaShadow84 (8 posts) -

I don't think this will turn out as bad as we might think.  Only time will tell.

#5 Posted by Kowalski (262 posts) -

This is why I never have used my credit card on the PSN, only vouchers.

#6 Posted by Lukeweizer (2687 posts) -

Jesus Christ. What a nightmare.

#7 Posted by KaosAngel (13765 posts) -

Hah, I love you Pat.  Even despite the spike in PSN threads you make one more legit one.  :)


Good to know you're knocking sense into some users about not panicking.
#8 Posted by JDoobs (92 posts) -

Changed all my passwords and canceled my card yesterday. Not really worth the risk to save an hour of my time.

#9 Posted by wibby (256 posts) -

Oh dear.... :(

My trust in Sony has gone , Sorry dudes.

#10 Posted by BrickRoad (702 posts) -

Yeah, the scattered reports about CC theft are difficult to link with PSN. I mean, 77 Million users, or so they say, are affected. There's going to be at least a few co-insidences of CC fraud that's unrelated to this incident, but does involve the cards used on a users PSN.

#11 Posted by brocool (701 posts) -

Just want this done with!

#13 Posted by CrazyBagMan (842 posts) -
@Kowalski said:
" This is why I never have used my credit card on the PSN, only vouchers. "
In case someone hacks the PSN and steals 775 million peoples information?

This was completely unpredictable. No one, not even you could have known this was going to happen.
#14 Posted by Vexxan (4621 posts) -

Man this starts to feel like some drama show on tele full of cliffhangers - I REALLY wanna know how Sony's gonna deal with this and how much of what has happened they actually will tell us.

#15 Posted by loungemonkey (29 posts) -

Typo in the sentence: "  Sony is not the first company to encounter such a breach, and will it be the last." 


I assume you meant to say it will not be the last.
#16 Posted by JokerFrown (307 posts) -

Wel...I'm on my way to the bank to cancel my card...

#17 Posted by Nictel (2412 posts) -

Passwords changed -> No creditcard -> Safe.

#18 Edited by bslayer (222 posts) -

I've never put my credit or debit card info on my ps3 or 360. I'll probably still change my password for my psn account when I can though.


I've only used the psn cards. same with the 360.
#19 Posted by Pullarius_Capax (80 posts) -

I have no idea if i have a credit card attached, I only sued PSN for like a period of 2 weeks when I was Xboxless and i didn't buy anything but i remember looking at the store. I think its to presumptuous to cancel I'm just going to look at my statements for unusual charges.

#20 Posted by MooseyMcMan (11068 posts) -

This article is as well written as the situation is bad. 

Moderator
#21 Posted by Akeldama (4248 posts) -

People need to take a deep breath and be adult about all of this. We do not know the full extent of the situation and people are already abandoning Sony and the PS3. I can't help but feel if this had happened to Microsoft and the 360, people would be a lot more patient and reasonable.


Stop creating shitstorms over events that are STILL UNFOLDING.
#22 Posted by colinjw (220 posts) -

I will stick to microsoft points bought without putting my details into a system.

#23 Posted by rjayb89 (7722 posts) -

The fuck, Patrick. EAT LUNCH FASTER.

Online
#24 Posted by Krummey (198 posts) -

I cancelled my debit card last night, which is a bummer since I've basically forgotten how to use cash.

Online
#25 Posted by effache (130 posts) -

Want to quickly say that I really appreciate the more in depth articles that Patrick has been running on the site. Video game "news" can quickly resort to just copying press releases and blog posts but nothing beats having more expansive articles even if it does involve a little legwork on your guys' part.


I guess that love is my silver lining in all this PSN crap going on.
#26 Posted by mattjam3000 (444 posts) -

This is the most informative news article ever written on Giant Bomb, is it real? Am I real? Is Lady Gaga really that bad?

#27 Posted by Sooty (8082 posts) -

You know despite all this hacking stuff, the large pictures of the PSN logo have made me realise how fugly that thing is.

#28 Posted by Meltbrain (2973 posts) -

Oh dear. I hope no bad crap actually goes down with peoples information. Beyond that I just hope they sort PSN out ASAP.

#29 Posted by DetectiveSpecial (466 posts) -
@loungemonkey said:
" Typo in the sentence: "  Sony is not the first company to encounter such a breach, and will it be the last." 

I assume you meant to say it will not be the last.
"
I vote for "nor will it be the last." 
 Let's get some old English up in here.
#30 Posted by ZmillA (2271 posts) -

This is the age of malicious hacker groups

#31 Posted by Hayamo (64 posts) -

While people are right to get angry at Sony for this, it's not nearly entirely their fault. Yes there probably are further precautions than what were already instated that might have been able to null this incident. You have to realize though, this attack was entirely unpredictable. I'm not necessarily defending Sony here but people that are saying that this could never happen with XBL is wrong. Just damn wrong. May it be more unlikely? Possibly, but it is definitely possible, and this whole situation proves that.

#32 Posted by NonDragonfly (21 posts) -

I called up my bank is the UK earlier today, and I was told that they had been briefed on the situation earlier that day. So I'm sure most UK banks have been informed, but I'm not too sure about the US banks.

#33 Posted by FritzDude (2263 posts) -

So in other words: PANIC!

#34 Posted by AndyPhifer (169 posts) -

Isn't it so nice to see some real journalism?
#35 Posted by RE_Player1 (7560 posts) -
@Akeldama said:
" People need to take a deep breath and be adult about all of this. We do not know the full extent of the situation and people are already abandoning Sony and the PS3. I can't help but feel if this had happened to Microsoft and the 360, people would be a lot more patient and reasonable.

Stop creating shitstorms over events that are STILL UNFOLDING.
"
I agree. Stay calm, take a couple hours out of your day to get your password and cc situation under control and hope for the best. This could have happened to anyone. Am I mad? Yeah. Am I going to sue Sony? No. Basically after this I'm trying to see what I can take from it. I will now be more careful in the services I use online and probably will never use a cc on PSN again. I'm not going to throw my console in the garbage but I sure won't be forgetting about this when Microsoft and Sony release another console... 
#36 Posted by Krakn3Dfx (2490 posts) -
@wibby said:
" Oh dear.... :(My trust in Sony has gone , Sorry dudes. "
You should lose your trust in Newegg, Amazon, Monoprice and Target among many, many other companies then, because they've all had similar situations. This is a big, terrible event to be sure, but we don't have a clue what type of security Sony does or doesn't have in place, we don't know anything about their data encryption methods. A lot of people have assumed a lot of things, muddying facts with speculation.

I think people need to calm down, stop spewing nothing but vitriol and misinformation, and let things play out before deciding anything.

For me personally, I have cancelled the card I used on PSN and had it re-issued, pretty much a common sense approach to an unfortunate situation.  When PSN is back up, I will be updating my credit card information on the service with the knowledge that whatever hole in the Sony security wall was breached is very likely now patched.

Also with the knowledge that no security system is ever 100%, and if it happens again in a year, you know what, shit happens.
#37 Posted by Benny (1953 posts) -

I love that Giant Bomb has Patrick to cover this, great, informative articles and it's straight from GBHQ rather than elsewhere. Top Stuff Top Men!

#38 Posted by MordeaniisChaos (5730 posts) -
@wibby said:
" Oh dear.... :(My trust in Sony has gone , Sorry dudes. "
Why exactly? People are being such babies about this. Acting like Sony just invited the hackers in. They actually did a good job in cutting off the services as soon as they found there had been a breach, and calling in a big security firm to investigate the situation. There is no reason to jump on the pussy wagon and "lose faith in Sony" or whatever the fuck. This shit happens. NO system is perfect, no security precautions can hold up to any and every attack. It could have been worse, had Sony treated the situation poorly.

Now, had they known about it for a while, and just let it be, and kinda half assed trying to fix the issue without telling anyone or actually fixing anything or removing access to the sensitive information, sure, you't have a decent reason not to trust them. THEY didn't hack it, they were hacked. And they responded relatively well, all things considered.
#39 Posted by RecSpec (3821 posts) -

You would think people that use their cards over the internet would check their balances and such often to avoid stuff like this. 


The damn guy at the restaurant down the street could steal your information. It's a risk when using credit cards.
#40 Posted by abdo (1037 posts) -

I've got about 5 PSN accounts, about one for each region. Hopefully if anyone decides to steal my info it'll be from the extra ones. I'm glad to say the only time I've ever used my credit card was a couple of years ago, and it's already expired by now.


This is why I can never fully trust digital download providers with my card details. On Xbox Live, if I had bought a few months worth of Live Gold, they'd automatically renew my subscription and it would take forever to stop the automatic payments, a trap my brother fell into a couple of months ago. I'll stick to pre-purchased codes/vouchers.
#41 Posted by Spiritof (2050 posts) -

 Krisopher Johns of Alabama, I don't know you, but you're a Grade A douche nozzle.

#42 Posted by Blueblur1 (344 posts) -

I too called my bank yesterday and had my debit card canceled. I'm not taking any chances.

#43 Posted by tropico89 (40 posts) -

I like how some people feel that because Xbox live charges a yearly fee that it some how makes it hacker proof.  This can happen to any company people and not just because its a free service. 
#44 Posted by RVonE (4638 posts) -


I love these in-depth articles Patrick produces for this site!

LOVE IT!

#45 Edited by Scrumdidlyumptious (1641 posts) -

This really sucks. It might be smart to change Xbox Live passwords as well if people share the same password across both networks.

#46 Posted by Winternet (8019 posts) -

Gotta check my credit card statements for unusual activity.


Oh wait, I don't own a PS3.

Gotta check my credit card statements for unusual activity.
#47 Posted by Krakn3Dfx (2490 posts) -
@FritzDude said:
"

So in other words: PANIC!

"
Personally, I've moved my family into the Virtual Identity Theft Bomb Shelter, where we're going to ride this thing out surviving off of candy bars and generic diet soda.

I'll see you guys in 2012!
#48 Posted by Residentrevil2 (444 posts) -

I need to cancel that card as soon as possible. 

#49 Posted by patrickklepek (4630 posts) -

Caught that nasty typo. Thanks guys.

Staff
#50 Posted by Koobz (384 posts) -
@AndyPhifer said:
" Isn't it so nice to see some real journalism? "
I came for a paragraph summary and got a genuine article about something important.  I don't know what to do with myself.  Somebody make a joke about Chie.

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.