After days and days of the Playstation Network being offline, Sony has announced it has taken the service down indefinitely. The cause is a lot more severe than previously thought: PSN has been systematically attacked, and personal information of all users has been stolen, possibly including credit card data. Sony is asking PSN users to keep close tabs on their credit card account statements. This has turned from a rather amusing slap on the wrist for Sony into a massive and truly epic security fail that could have tremendous consequences for millions and millions of people the world over.
Sony shut down PSN last week due to an attack by hackers. People quickly assumed it was Anonymous, but influential people within that “organisation” have denied any involvement. It makes sense to believe them, since the whole goal of Anonymous is to take credit for their actions, to make a point (whether you agree with said point or not). Now that we’re a week later, it’s becoming clear that we’re not dealing with a simple protest against Sony’s anti-consumer behaviour.
It’s all much more malicious.
Sony has confirmed what some folks have already been murmuring about on forums for a while – suspicious credit card activity. The attackers have managed to get their hands on the user information of all Playstation Network users, possibly including credit card information. As such, if you have linked a credit card to your PSN account, it is vital that you keep very close tabs on your credit card’s activity.
“We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained,” Sony states, “If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.”
However, if you read through for instance the Ars Technica forum, you’ll see several people sharing tales of seeing fraudulent activity on the credit cards they’re also using for PSN – activity which started during this whole PSN failure. I’m suspecting Sony isn’t being entirely transparant about what it knows at this point, but at least it offers an apology.
“We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience,” Sony states, “Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.”
At this point, there is no indication as to when PSN will come online again, but I would say that at this point that’s no longer the main concern. The amount of personal data Sony has let slip through its fingers – probably due to a massive security fail – is astronomical; PSN has about 70 million registered users.
Before the news about the stolen user information got out, I found all this remarkably amusing, and as fully deserved payback for the rootkit fiasco, DRM, GeoHot, the removal of OtherOS, and the ‘bag of hurt’ that is Blu-ray. However, now that we’re actually talking about the user information – including credit card information – of 70 million people being stolen, it’s no longer amusing, but a downright disaster. I’m hoping law enforcement will track down and find the people responsible.
Still, something good might come out of this: it might lead to more awareness, both publicly and politically, of the dangers posed by handing over all your personal information to large companies. Hopefully, it will also be another nail in the coffin of the credit card, an inherently insecure and ridiculous concept that needs to die. People should learn to spend the money they have, not the money they may have.
like sony management and their security-experts?