Sony has finally come clean on the PlayStation Network and Qriocity intrusion, and everyone’s worst fears have been realized. Last week Sony pulled down its highly popular PlayStation Network and Qriocity services, which have remained offline since. Initially, Sony offered little by the way of clarification, and only stated that they are working on rebuilding PSN and Qriocity, which have been victims of external intrusion. Rumors flew thick and fast. Most people pointed fingers at “Anonymous“, which had earlier caused temporary outages of PSN. Some suggested that Sony’s actions might have been prompted by the release of a custom firmware called Rebug, which enabled PlayStation users to pirate content from PSN using fake credit card credentials. Unfortunate, the real situation is a lot more critical.
Sony has now revealed that “certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion” into their network. Sony became aware of the intrusion between 17th and 19th April, and turned off PSN and Qriocity on 20th April. The intruder managed to gain access to profile data, which includes name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. Needless to say, all of this is extremely sensitive information. In the wrong hands, this kind of information can be misused in any number of ways. However, the bad news for PSN users doesn’t stop at this. According to the official update:
While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
The fact that your credit card information might be up for sale is unnerving. PlayStation Network, which is accessible via the PlayStation 3 (PS3) and PlayStation Portable (PSP), has more than 60 million registered accounts. If you had your credit card information stored with either PSN or Qriocity, then it’s highly recommended that you change your credit card number. Get in touch with your credit card issuer to find out how you can do so. However, this is something that will take time. In the meanwhile, it’s recommended that you place a fraud alert on your card.
At no charge, U.S. residents can have these credit bureaus place a fraud alerton your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity.
To do this, contact any one of the agencies recommended by Sony (Experia, Equifax and TransUnion). If you also have the nasty habit of using the same password for multiple services, you will have to go through the time-consuming procedure of manually changing passwords for each of those services that had the same password as your PSN account.
In the coming days and weeks, Sony will have a lot of answering to do. What is baffling me is the fact that sensitive information like account password and credit card were obtained by the hacker. It is common practice to secure such data by using encryption along with salting. Unless, the information was stored in plain text, or encrypted using weak techniques like MD5 hashing, the intruder should never be able to extract the original data. If Sony didn’t implement appropriate security measures, then they have no one to blame but themselves, and they will probably have to pay very dearly.
It was also irresponsible to sit on this information for a week before alerting affected users. Sony should have come clean as soon as they knew what had happened. Instead they seem to have been busy trying to save their own ass.
This incident once again highlights the pitfalls of storing your information on the cloud. Every time you trust an online service with your data, you add another source that might be exploited by hackers. It’s time that the congress makes it mandatory for every service that stores sensitive information like credit card numbers to have certain minimum security protections. Sony is currently working on making PSN and Qriocity more secure, and hopes to restore services, at least partially, within this week.