The fallout from the PlayStation Network hack will be felt for weeks, months and years to come.
We don’t know what’s been stolen from the PSN, but it’s reasonably safe to assume that it’s everything. So, while some might not be particularly worried about credit card theft – after all, you just need to call your bank and they’ll cancel that number and send you a new card – it’s the way this was managed and reported that could end up causing the major issues.
We’re starting to hear, from banks, that they were alerted to the intrusion on or around the 19th, comments from TSA members and beyond suggesting that Sony informed the financial institutions even before they switched off the authentication service on the PSN. We can’t verify this ourselves, but based on what we’re hearing, this is starting to gain ground.
It was on the 26th of April that Sony managed to pull themselves together and tell us what had happened. If the intrusion was between the 17th and the 19th, that’s pretty much a week. A week in which the hacker(s) have seemingly had access to our data – credit cards, purchase history and – worst of all – enough of our ID to start to make some waves.
Name, address, date of birth, security question. It might all be ‘protected’ but it wasn’t encrypted – once the protection broke all this is in the clear, and – potentially – available to anyone. If your security question was your Mother’s maiden name, consider that another blot – ID theft is on the increase, and upwards of seventy million accounts will be a goldmine for the black market.
It’s true to say that this loss is causing a huge problem for Sony. I’m not personally too worried about identity theft or the data that could potentially be seen. Aside from my credit card number, all the data they had access to could have been gathered just as easily by picking through my bins. There will be many who have even more sensitive data than the stuff Sony lost, in public view, on their Facebook pages.
But think about this – if the information is distilled into a searchable list, what’s to say that the next time you’re online the person you’re playing against can’t look up your PSN ID, get your real name and start taunting you? They’ll know your real address, your birthday. And if they’re linked in the database, they’ll know the details of your dependents and sub accounts. It’s this uncertainty that breeds this speculation and Sony’s reluctance to offer comprehensive information only serves to compound that issue.
Make no mistake, people might be happy to say that Sony did the right thing in switching off the service, but the information was – everyone assumes – already extracted and who knows where it could all end up? Scaremongering has been rife since the day the PSN went down, but all this is very real and far too easy to understate: ID theft is a hugely serious matter.
What can we do? Nothing, really. If you’re already signed up to an ID protection scheme then just keep an eye on your credit rating to ensure nobody’s taking out credit in your name, or companies aren’t doing credit checks against you, renting flats, hiring cars, that sort of thing. Just stay vigilant, and hope that the information doesn’t end up on some torrent.
What this debacle has done for me is make me begin to take the measures I should have been taking all along. I use a password generating program to make and securely keep my passwords now, I won’t store my credit card info online again and I’ll even start shredding real-life sources of this data before they go in the bin. It’s always sensible to keep a close eye on statements and accounts but this fiasco has brought that need into sharp focus once again.
As for Sony and the way they’ve handled the communication with customers, let’s just say we’re far from impressed. The eventual statement read more like a legal/PR exercise than a truly apologetic one as it should have been, with more get out clauses than answers – why did it take a week? Why wasn’t the security answer one-way hashed?
Did they actually breach the network and get full access to the databases (and thus managed to dump everything) or did they sniff out packets from PS3s as they went back and forth to the servers, limiting the damage to just those that were connected? We’ll probably never know, resulting in constant doubt about our identities.
I wouldn’t doubt that Sony are the only company to have had problems like this and we simply don’t hear about it in many other cases. I think the fact that the network has been taken down and is being rebuilt means that it gets a larger place in the spotlight than most companies would give it. For me, though, the security risks are of minimal concern. For me, the bigger issue is the bond of trust that has been broken.
Sony’s reluctance to say anything substantive for a week and then their eventual statement still being largely uninformative is a shambles. When their consumer base needed abject humility, they got legal base covering and vague doublespeak. Customers still don’t have all the facts of the matter or a firm timeframe to expect the service to return. Many people are now paying a subscription for a service which doesn’t exist (PS+) and they have no idea when it will be back.
Will the PlayStation brand ever be the same again? It won’t be easy for them. In a gaming landscape which is becoming more and more dependent on connectivity, digital distribution and micro transactions, Sony have effectively told their consumers that they can’t be trusted to handle these aspects. Even if the network is rebuilt as the most secure in the world, regaining that public perception could be a major stumbling block.
The die hard fans will remain in force, but some of us will be far more reluctant to give Sony (and other major companies) such delicate information in the future – we won’t know the far reaching consequences for some time, but just now this has all been an unmitigated disaster, and one of the biggest leaks in modern history.
There are insane amounts of hyperbole being thrown around the internet about never trusting Sony again but there is an element of truth in there. The simple fact is that much the consumer base will feel that Sony let them down with their silence. That bond of trust is much more difficult to recover than security on a server.
Tuffcub
I just spoke to Natwest to cancel my cards just as a precaution and the chap said they have been innundated with people getting new cards.
Ed the Penguin
Coincidentally I’m getting a new card for a completely different reason.
However, I can’t be bothered to buy a 360 and Blu Ray player to replace my PS3.. so I mustn’t be that worried.. Should I?
Ed the Penguin
….Naaah!
Mason_Mk
77m accounts had basic information compromised and credit cards are most likely not part of that information. Even if it was, they wouldn’t get far without the security code. Even if they had that, what’s the chance of picking you out of 77m people? (Yes i know not all 77m has credit cards tied to them but it’s a sizeable proportion)
squashme
lol you can easily create a new security code it aint that hard
teflon
@Squash, it’s quite hard to create a new security code unless you’re the bank that issues the card… After all, the security code is printed on the card itself…
djhsecondnature
@squashme – Blimey squash are you just going to shit on everyone’s parade? There’s no need to reply to almost every comment with inaccurate information or rumour. Give it a rest.
plutoniumdragon
It’s easy enough to find software which can generate “valid looking” card numbers with a corresponding CCV – BUT unless someone has leaked a genuine CVK I don’t think you can generate a valid CCV – at least I would hope not…
cam the man
Sony’s security should be a lot safer when the PSN is back online so there shouldn’t be anything to worry about in the future.
jimmy-google
All my personal data can be that could be access can be bought online due to the census data that gets collected (including mothers maiden name) and my encrypted card number alone isn’t enough.
1 week isn’t great but better than the 3 months it took play.com and the british government to let people know and I still shop at play.com
I’d rather they told the banks first as they have more chance preventing fraud than we do.
I’ve spent too much money to switch console providers and the likelyhood is that one day xbox live and the app store will be hacked as well. At least sony don’t store as much of your card details as apple do.
How much data has actually be taken (if any)? No one seems to know. This is just worst case scenario at the moment.
If Sony allow the changing of PSN names then the other issues about taunts could be removed as well.
At the end of the day what are my alternatives to staying with mu PS3/PSP? Turn to PC gaming which I can’t afford, turn to xbox and rebuy my games, lose my downloaded games, stop playing altogether or switch to a wii which I had once and sold as I didn’t enjoy using it? The cost and hastle of switching is too much and probably not worth it. It’s also worth waiting to see what changes Sony actually make to the login procedure and what user information stored before making costly decisions.
This will have wider implications of the digital medium rather than just Sony. I’m sure less will store card details online at all. Having to enter you details everytime to buy something will put people off impluse buying. That extra effort can make all the difference.
brownium
Where can you buy this census data? I was under the impression that it only made available to the public after 100 years.
You probably can get a lot of this data elsewhere, but that doesn’t mean ‘the baddies’ having this data is not dangerous.
jimmy-google
I’ll have to look it up by I found my details from the last 2 census’ (not this years) and one was was under age but the details where easy to find.
The site even broke the list of names into age brackets to make it easier to locate people.
Mason_Mk
Googling names and basic information you know about them can lead to more about them. For example when you google my name my twitter is the forth/fifth result, and then that has hometown as well as information on things im doing, and a link to my facebook which holds much more. Im careful not to give certain stuff away and also to not accept shady friend requests, but others arent and so are more vuneable. But at the end of the day its unliekly your going to get any trouble from this anyway
blarty
There’s a part of the latest update about Sony moving their network infrastructure
Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.
I’m not generally for opinion preferring more to wait for facts to be released, but this is very telling…. why physically move your network infrastructure, unless it has something to do wither with your network/hosting partners or there was a physical breach in security prior to network breach… after all we still really don’t know how the data got out of Sony’s doors.
cc_star
gi.biz have interviewed a security firm who said there was an 80% chance it was with inside help.
I wonder if the move of premises is anything to do with that
jimmy-google
If it’s an inside job it will have been harder to detect and harder to stop.
squashme
well Sony has said the perimeter was secure so it does look more and more like an inside job Sony need to be having some very strong words with it employees
pantherjag
Never seen this before i posted my comment below but these words struck me in the same way as you.
TURRICAN-808
Found this on IGN:
Sony has confirmed that it hopes to restore some fuctionality to the PSN service by next Tuesday in a new statement on the PlayStation Blog.
“Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.”
Dated April 27, the update posted by Patrick Seybold (Sr. Director, Corporate Communications & Social Media), would put the estimated return date for PSN services as May 3, meaning that the service will have been offline for two weeks.
Although which services will be coming back online next week is unclear, Sony has stated they are working on new security measures for the future, as well as seeking out those responsible for the breach, confirming they “are working closely with a recognised technology security firm in order to find those responsible for this criminal act, no matter where in the world they might be located.”
Sympozium
Well I was off for a week… and now they might restore the effing service by Tuesday?!.. bastards
Kitch
Surely we could have a game playing PSN back on and just not have ANY transactions possible? I’m no expert but that should be possible.
djhsecondnature
They’re probably rebuilding the very core of how the network works. Once it’s done, it’s done. Can’t really put it up until then.
MrIrving
Can I just ask if everybody else has received an e-mail from Sony? I’ve not had one and I’m sure they stated everybody would have received one by 28/04.
eirekun
Me neither! Though I’ve just got one from Mubi.
jimmy-google
Only on my account with a card attached so far.
eirekun
Ah, that makes sense, I used store cards & prepaids.
Kovacs
I JUST got it.
TURRICAN-808
Me too :)
Its pretty much everything that I’ve read from TSA
skibadee
it is the same thing that the blog has down.
hazelam
i got an email, it basically reiterates what the blog said.
they’re gonna be sending out something like 70 million emails, that’s gonna take some time.
matthangzhou
I received 2 now. One from my main one a few days ago, and just now one from my HK account. Still nothing from my US one though.
Peter Rushton
Just got back from holiday, great bit of news to be reading… :\
How likely is it that my details/my father’s details have been taken? What can we do? Are we liable to compensation if money has been stolen?
TURRICAN-808
If you have a crdit card, you are better off than a debit card holder. Just have to wait and see, check your bank accounts, You’ll be prompted to change your PSN password when logging in to PSN (MAY 3rd?)
TURRICAN-808
Here’s a great place to start:
http://www.thesixthaxis.com/tag/psn-hack-latest/
TURRICAN-808
Sony must have sent 77million emails in two days?
Thats a serious amoint of global emailing !
squashme
there doing it 1 by 1 so it gonna take time for all 77million people to get it
TURRICAN-808
lol
pantherjag
Ok whats happened here is not good but people have to remember a few things.
1. Everytime you put card details into the internet you are taking a risk, you can have all the security in the world but theres always an exploit. Security on networks, websites etc is all reactive rather than pro active. The hacking exploit comes before the security countermeasure. in short someone has to be the victim off a hack before everyone else can be protected from it. Im safe from credit card fraud because i dont have one and never buy anything online, i simply dont trust it. Everyone i know that has purchased stuff online has eventually fell victim to a scam/fraud/comprimise off some sort. For me id rather pay 5 pounds extra for something and know my card details are safe but each to their own and all that.
2. Lots off people are giving sony grief about there security being breached but it worth remembering that PSN has run relatively smoothly for over 4 years without such a thing happening. It also worth noting that for about the last 6-12 months sony/the ps3/Psn have probably had unprecendented attention from the hacking community with the whole jailbreaking/geohot/anonoymous saga uniting them in someway against the firm. These guys were sharing data and discoveries on various websites, exposing weaknesses and probable constantly testing PSN defenses. It only took one talented individual to breach the pentagon so is it any wonder that 100’s maybe thousands of clever people managed to break down PSN’s security, under the same circumstances i would imagine any company would be vurnable. Theres every likelyhood that PSN was subject to hundreds off attacks prior to this breach which it sucessfully defended.
3. Something i noted from one off the latest playstation blogs was sony commenting that the servers had physical security, ie im guessing cctv etc. I find it interesting that sony have commented that physical security is being upgraded and that the servers are being moved to a more secure location. Does this sound to anyone else like they suspect the servers were actually accessed physically and estentially prepped for an attack. Was a disgruntled Sony employee, possibly told that his services were no longer required due to cutbacks, responsible for this attack to basically say up your sony. Off course i speculate but i do find that sony feel the need to actually make the server location more secure quite strange and telling.
Anyways thats my 2 cents worth
hazelam
regarding 3, that would fit in with the rumoured inside help theory.
but really nobody knows anything for sure right now, apart from sony and the hacker/s.