Sony PSN Hack, What You Need To Know Right Now
Maybe you have heard that Sony has taken their Playstation Network (PSN) offline on April 20. It first was not clear why it was taken down, with many suspecting a DDOS attack to be the reason. Back then, Sony let everyone know that the services were taken offline because of external intrusion. No one knew the scope of the intrusion at that time, nor if data was downloaded by the intruders.
Yesterday Sony revealed additional information, and boy does it look back. Information about the situation are provided to all customers of the service in an email.
The email speaks of an "illegal and unauthorized intrusion" in which certain "service user account information" were stolen by the attackers.
The important part follows with a list of information that have been stolen. This includes:
name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.
Please note that the email address, login and passwords have been stolen. This is likely going to turn ugly considering that many users on the web use the same email and password combination on a lot of sites.
If you are a customer of PSN or Qriocity you need to immediately change your passwords on site where you may have used the same password, and on your email account.
Sony furthermore says that it is possible that profile data may have also been obtained by the attackers, which would include purchase history and billing address. Even worse, they cannot eliminate the possibility that created card data was taken as well.
That's the worst case scenario, and there is not lot that users of the network can do at this time, but to actively monitor their credit card bills to check for unauthorized payments.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.
The data stolen could also be used in custom attacks as the attackers could use the user's name and other information to make requests look legit.
Sony asks all users to change their PSN passwords as soon as the service goes online again.
A frequently asked questions section has been uploaded to the Playstation website which contains further information and support phone numbers.
To paraphrase: PSN users need to change their web account passwords immediately, especially if they are identical to their PSN password. They also need to change the password of their email accounts if identical, and need to monitor their credit card statements and account statements to make sure that no unauthorized payments are made from the accounts.
Since the hack has been first noticed on April 17, it is advised to look at your account statements for April to see if you find any unauthorized payments.
Sony is still investigating the issue at this point in time. The hack is a marketing fiasco for Sony, and more than a nuisance for customers of the service who now have to fear that their data gets abused by the hacker.
With 70 million users, the data alone could be worth a fortune on the black market. Spammers would love to get their hands on email addresses, names and countries for instance to send out personalized spam to those users.Advertisement
The real question is why they took so long to inform their users that vital information was potentially stolen. I think Sony might be up for a multi-million dollar lawsuit and IMO they deserve it as this is unacceptable in today’s world.
All I can say is that thank god I do not bother with any of this online gaming stuff.
In light of this and many other incidents of attacks involving data theft, it makes one wonder if any online entity can _really_ be trusted to take utmost care of personal information shared with it.
It may have become common activity to be parting with personal information as required from using services online, but now it calls for awareness on the practices and policies of these services for ensuring security on our data. Policies should be revised to include transparency on how information is being handled (Google recently demonstrated this with the release of a video showing how they handle information in their server farms).
It cannot be stressed strongly enough on the importance of segregating passwords and email accounts online. However, this is only the tip of the iceberg. It also falls upon the responsibility of an individual or company soliciting and storing information to guarantee best practices on the safety of the data from _any_ illegal attempts on acquiring it.
Else if such cannot be achieved, then it’s about time we think twice before sharing information online, and consider our data as a valued property, not to be carelessly let out in the open.
IMHO there’s no such thing as 100% data security online. Of course that applies in real life too, so it’s all a question of how hard firms work at protecting data, and how they respond to customers if there’s a breach. How far Sony have failed at protection I don’t know – but they’ve failed massively in customer response.
These days, I’m more impressed by organisations that admit 100% security is impossible but strive to do their best – and inform me instantly of problems. But when they make claims like “100% security absolutely guaranteed sir!” (usually from some clerk who couldn’t reconnect their keyboard if the plug came out) – then I back away. Not just because they clearly don’t know what the hell they’re talking about, but because that organisation’s security is probably a function of PR – always a bad sign.
Other than via direct hacking, I’m convinced that more identity theft takes place inside large businesses and organisations than outside them. In fact – assuming we take reasonable precautions with our usernames and passwords – it’s easier for employees of those bodies to access our data than it is for us. If that employee is in Mumbai and earns Â£20 a month (or perhaps in London and just plain greedy) then the dangers are obvious, and – I’m convinced – hugely played down.
Stolen credit cards are already in use ;
A norwegian, Fredrik KlÃ¦rud, discovered that his PSN registered credit card has been charged several times from April 17 – April 20. The amounts ranges from 40 NOK to 400 NOK (1 USD is about 5,3 NOK). The bank confirms that five more incidents were about to be charged when he blocked his card.
@ilev: This sounds more like an issue with Norwegian banking systems, which had issues prior to and during the easter holidays causing double and/or delayed payments. If you examine the bank statement in the article it says the transactions are from 14.4 and 16.4, i.e. before the first signs of any attacks on PSN occured.