PSN: What Happened & What Now?
Let’s start at the beginning. On April 19th Sony detected that hackers had broken into the PlayStation Network within the previous 48 hours. Their immediate response was to pull the plug on the service and hire an outside forensic security team. On Monday, after rampant speculation had raged across the Internet for nearly a week, the company announced that someone had “intruded” into the underbelly of the PSN. It wasn’t until Tuesday that the company saw fit to divulge that part of that “intrusion” involved the accessing of oh…77 MILLION people’s personal and user data. Names, addresses, login IDs, passwords, password retrieval questions, purchasing histories, birthdays, user names, and profile data. Pretty much the only thing Sony claims that the “intruders” did NOT get is credit card information. Mind you, the company states, “we cannot rule out the possibility” which is hopefully them just covering their ass legally.
Hit the jump for more.
Now, you might wonder how the “intruders” got everything, including the kitchen sink, but somehow missed out on the treasure trove of credit card data. It’s simple: credit card info is the only thing Sony bothered to encrypt. Yes, they had extensive, and presumably robust, barriers to illicit access but there were no secondary safeguards of the data once an intruder was past the outer wall. Hell, France had the Maginot Line and we all know how that one worked out. 77 million people’s detailed personal information was being kept in simple text files. Again, you might be wondering, “If they didn’t get my credit card, what’s the issue?” The issue is that the information they DID get is more than sufficient to get a whole new credit card, loan, etc. in YOUR name. Whether it’s by accessing your other accounts through password overlap or by spoofing their way in via a customer service department and their dreaded “security questions”…you’re exposed. Credit cards can be canceled, your birthday is for life.
The reason for the attack, the motivations, and the goals are all theoretical. For all anyone knows, it was done simply to make Sony look bad and nobody has anything else to worry about. But this is bloody unlikely and the seven-day lead Sony gave to the hackers is inexcusable. Hacking happens, data loss happens, but hiding it from the affected users is, or should be, criminal.
It’s unclear what long-term repercussions Sony will face as a result of the incident but there is currently a class-action lawsuit, an angry Senator, a pending fine from the U.K. government, and a PR cluster-fuck waiting their turn to take a whack at the electronics giant. Only time will tell if anything sticks.
For now, I suggest you worry about your credit scores and bank accounts. For a good place to get started, check out ARN’s comprehensive PSN security breach survival guide.