Sony: Credit data risked in PlayStation outage
LOS ANGELES, CA
Some players brushed off the breach as a common hazard of
operating in a connected world, and Sony said some services would
be restored in a week. But industry experts said the scale of the
breach was staggering and could cost the company billions of
dollars.
"Simply put, one of the worst breaches we've seen in several
years," said Josh Shaul, chief technology officer for Application
Security Inc., a New York-based company that is one of the
country's largest database security software makers.
Sony said it has no direct evidence credit card information was
taken, but said "we cannot rule out the possibility."
It said the intrusion was "malicious" and that the company had
hired an outside security firm to investigate. It has taken steps
to rebuild its system to provide greater protection for personal
information and warned users to contact credit agencies and set up
fraud alerts.
"Our teams are working around the clock on this, and services
will be restored as soon as possible," it said in a blog post
Tuesday.
The company shut down the network last Wednesday after it said
account information, including names, birthdates, email addresses
and log-in information was compromised for certain players in the
days prior. Sony says people in 59 nations use the PlayStation
network.
Purchase history and credit card billing address information may
also have been stolen but the intruder did not obtain the 3-digit
security code on the back of cards, Sony said. Spokesman Satoshi
Fukuoka said the company has not received any reports yet of credit
card fraud or abuse resulting from the breach.
Shaul said that not having direct proof of credit card
information theft should not instill a sense of security, and could
mean Sony just didn't know what files were touched.
"They indicated that they're worried about it, which is
probably a very strong indication that everything was stolen," he
said.
If the intruder successfully stole credit card data, the heist
would rank among the biggest known thefts of financial data.
Recent major hacks included some 130 million card numbers stolen
from payment processor Heartland Payment Systems. As many as 100
million accounts were lifted in a break-in at TJX Cos., the chain
that owns discount retailers T.J. Maxx and Marshalls, and some 4.2
million card numbers were stolen from East Coast grocery chain
Hannaford Bros. Those attacks allegedly involved a single person:
Albert Gonzalez, a Miami hacker who was sentenced last year to 20
years in prison for the attacks.
The Ponemon Institute, a data-security research firm, estimated
that the cost of a data breach involving a malicious or criminal
act averaged $318 per compromised record in 2010, up 48 percent
from the year earlier.
That could pin the potential cost of the PlayStation breach at
more than $24 billion.
Alan Paller, director of research for the SANS Institute, a
security training organization, said that even if credit numbers
weren't stolen, knowing someone's name, email address and which
games he or she likes can lead to expertly crafted scam e-mails.
Knowing billing histories can be even more harmful, since they can
identify big spenders.
"If you know someone's spent a lot on gaming, they could be a
spectacular target," he said.
The PlayStation break-in serves as a reminder of the danger of
large-scale breaches, even as hackers gravitate toward smaller
attacks that target specific, valuable data and are harder to
detect.
Some PlayStation users appeared to shrug off the danger although
they were taking precautions.
Joshua Delgado, a 36-year-old self-employed gamer in Moreno
Valley, said he now wants to check to see if the credit card he
registered on the network was one that had recently expired or not.
For now, he's no longer playing the multiplayer shooter game,
"MAG," nor is he renting movies over the system any more.
"There are worse things that are going on in the world -- it's a
game," he said. "But I'm disappointed that they weren't more
prepared for something like this."
The theft of credit card numbers has taken on a routine feel,
even though instances of mega-breaches have been declining.
Verizon's latest annual security report, one of the industry's
most authoritative analyses, found that the number of compromised
records in cases examined by it and the U.S. Secret Service dropped
from a record-breaking 361 million in 2008 to under 4 million last
year.
The decline was the result of more targeted attacks, as well as
the lack of major breaches to inflate the numbers.
Michael Brant, a 52-year-old railway worker in Columbus, Ohio,
said the network outage prevents him from playing "Call of Duty"
on a team with his 8-year-old grandson against potential online
opponents, who have numbered above 150,000 at any one time.
He's been able to catch up on TV shows and news in the down time
and he didn't seem worried about the possible loss of data.
"Everybody gets hacked," he said. Brant said he would not hold
a long-term grudge against Sony "as long as they get the stuff
back up and running and nobody has to suffer from it."