Sony closed the PlayStation Network on April 20, after unknown hackers gained access to sensitive data on over 77 million PSN users, including potentially credit card information. Since then Sony has been investigating the breach and working on improving PSN’s security before it is brought back up. According to the latest May 10 update on the PlayStation blog, there may be at least a few more days before PSN is rebooted, but according to a Bloomberg report Sony is still committed to a May 31 deadline.
By then it will be over a month since PSN was down, and Sony has already lost over a billion dollars because of this outage. PSN being down means PlayStation users cannot buy games and other items from the online PlayStation store. Multiplayer is also impossible, even for games bought elsewhere, as multiplayer is enabled through the PSN. This also has negative impact on game developers, especially those who sell exclusively to PlayStation users.
Of course, having so much private information in the hands of hackers presents a big problem as well. It jeopardizes users privacy, and could result in identity and financial theft. To be on the safer side, PSN users should cancel their existing credit cards associated with a PSN account. If your PSN password is the same as the one you use on other sites you should change the password on those sites.
This incident tarnishes Sony’s reputation with regards to their security practices. According to a report by The Consumerist a security expert Dr. Gene Spafford said that Sony was using outdated versions of Apache web server software which was “unpatched and had no firewall installed”. He said this issue was “reported in an open forum monitored by Sony employees” two or three months before these breaches.
In fact, Sony’s Chief Information Officer Shinji Hasejima admitted that “the vulnerability [of the network] was a known vulnerability, one known of in the world. But Sony was not aware of it… was not convinced of it,”, according to Develop-Online.net. However, a Trend Micro security expert Rik Ferguson said that “it is common for companies to run servers that they know has vulnerabilities”. “In the enterprise world, companies want maximum up-time. They don’t want to take their servers down, so they try to balance security with up-time.”
Unsurprisingly, just few days after the hack a law firm in California has filed a class action lawsuit against Sony on behalf of Kristopher Johns, a 36 year old from Birmingham, Ala. who accuses Sony of not taking “reasonable care to protect, encrypt, and secure the private and sensitive data of its users”, and not acting fast enough to allow its customers “to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions”, according to a CNET report.
Sony is, however, trying to make this up to its users, and has already promised a free AllClear ID Plus identity protection package for each PSN user in the US for 12 months. It includes $1 million ID theft insurance policy, and such features as internet surveillance and complete identity repair in case of theft. Sony also offers a free PlayStation Plus subscription for a month. They are planning to provide a similar offer to their non-US customers.
Meanwhile, the hunt is on for the criminals who perpetrated this attack, and FBI is already reviewing the case. Some have suggested that Anonymous might be behind the data theft, especially since they were involved in DDOS attacks against Sony in retaliation for the company’s pursuit of George Hotz, a hacker who reverse engineered the PS3 to run unauthorized software. Anonymous has, however, issued a press release stating that they were not involved in the theft of credit card information. The press release, however, doesn’t categorically deny any involvement by Anonymous in the attack at large, but given the decentralized nature of the group it is impossible to claim that anyone who acts under its label wasn’t involved. Anyone can do anything and attribute those actions to “Anonymous”.
Credit card information theft, however, does not fit Anonymous typical style, as it is mostly concerned with free speech and other political causes, not wanton cyberterrorism.
