Earlier this week, the Sony notified its Playstation Network (PSN) customers of a data breach affecting as many as 77 million consumers. Hackers accessed PSN between April 17 to 19, 2011 and stole the following sensitive personal information:
"... name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."
The PSN website includes notifications for consumers living in the United States, Puerto Rico, and outside the United States. The notifications offer the usual advice for consumers to monitor their credit reports for fraudulent entries, and to access their credit reports at either the official free credit report website or via the three credit reporting agencies: Experian, Equifax, and TransUnion.
Sony expected to notify all customers by April 28. Affected PSN customers can visit www.us.playstation.com/support and www.qriocity.com for more information. PSN has about 36 million customers in the United States, 32 million ins Europe, and 9 million in Asia.
In response to the attack, Sony turned off the Playstation Network and Qriocity service to strengthen the security of its network, and hired a security firm to perform an investigation of the breach cause. At press time, PSN is still unavailable.
The unannounced PSN outage caused some anxiety among game users, and some experts believe that anxiety has morphed into "what about my personal data?" At least one PSN customers has filed a lawsuit against Sony for failing to adequately protect their personal data, and for losses from stolen money.
In an update on the PSN blog, Sony said that credit card data was encrypted and personal data was not encrypted. However, the ArsTechnica blog reported that some PSN customers have already experienced credit card fraud. So, the encryption may not be very good, the credit card data was stolen during transmission, or another source caused the credit card fraud. Regardless, PSN customers should check their credit card statements for fraudulent entries.
The type of data stolen allows identity thieves to easily access consumers' online accounts that use the same sign-in credentials (e.g., username and password). This means that money and more sensitive data can be stolen, if a consumer used the same sign-in credentials with PSN and with their online bank, telephone, and social networking websites. Consumers should change the passwords on their online accounts.
The type of data stolen makes it pretty easy for identity thieves to assume a stolen identity either online or offline in the real world. And since e-mail addresses were stolen, breach victims can expect to receive phishing e-mail messages from fraudsters. Consumers should learn how to recognize phishing e-mails and phishing websites.
Where does the PSN dat breach rank among other data breaches? USA Today reported:
"... the PSN intrusion is arguably the second largest data breach ever, trailing only 2009's Heartland Payment data breach, which impacted 175,000 merchants and millions of payment card transactions per month."
Since credit card account data was stolen, banks will ultimately need to re-issue new credit cards and account numbers to affected consumers. When credit card data was stolen during the Heartland breach, Heartland ultimately paid many millions to credit card companies and banks to cover the costs of re-issuing affected card accounts. After its data breach, Heartland saw its stock price drop about 33%.
One I've Been Mugged reader shared a link to this Ars Technica blog post from February 2011, which warned months ago how PSN credit card data could have been stolen:
"A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3's connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection... custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers."
While many commenters on this February Ars Technica blog post discredited the hackers' claims and defended Sony, those commenters sure look a little silly now.