Thanks for giving up my identity to hackers, Sony
For as many as 77 million PlayStation subscribers, Sony delivered grim news today: Not only is PlayStation Network still down, but hackers obtained users' personal information, including logins and passwords. Credit card numbers and expiration dates "may have been obtained." That "may have" is a polite way of saying probably did.
Not only has Sony taken six days to come clean but PSN is still down, so subscribers can't log in to change their compromised information. That's what I wanted to do right away, if for no other reason than a sense of control and security. That Sony can't, or won't, bring back PSN says something extraordinary about the potential scope of the breach.
It's a nightmare scenario for any company to lose millions, maybe even tens of millions, of customer identifiable information. What separates the men from the boys, so to say, is how quickly and fully customers are warned their accounts may have been compromised. Writing for Betanews yesterday, Roger Kay, Endpoint president, warned that this is "no time for the company to hide beneath the radar. Sony needs to make some clear statements -- and soon -- about what has happened." Finally Sony has come clean, but as a PSN subscriber, it was six days too late.
Many people don't use credit cards anymore. Some folks can't because of too much debt. I won't to resist getting into debt; my family lives by cash on hand. So the probable theft of my bank card number is a big deal. I've already consulted my financial institution; I'll be getting a new card as precaution.
Luckily, I changed most of my passwords a few months ago, so that my PSN username and password aren't now the same as most of my Internet accounts. Still, I need to purge that password pretty much everywhere. If you're a PSN subscriber whose password there is used elsewhere, stop reading this post right now and start changing them everywhere else. The hackers have a huge head start.
The reported hacking of PlayStation Network occurred on April 20, when Sony took down the service. But today's statement from Sony indicates the hacking took place much earlier: "Between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network." Data was stolen more than two weeks ago, then. Who has your identity now?
I'm chuckling in a way about my situation, and I hope yours is better. I bought PlayStation 3 for the Blu-ray player, back when the game console offered the cheapest and best high-def movie hardware. My family doesn't own a single PlayStation game. I signed up for PlayStation Network last year to test Hulu Plus. Initially, Hulu Plus required a PSN subscription. The tests went bust within two days. Even with 25Mbps downstream Internet, TV show streaming breaks up and freezes. Funny how well it works on iPad 2, from which I can stream Hulu Plus to the television via Apple TV.
Some people have different priorities than I do. This comment posted to Sony's data-breach confession caught my attention: "JUST STOP! FIX THE GOD DAMN PSN FIRST THEN POST THIS CRAP UP GEEZ." What's an identity when you don't have a life beyond gaming?
Assessing the Damage
Some readers are probably thinking that I'm overreacting. Judge for yourself. Sony's statement on what data was taken:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
That reads as alarming enough to me. One part of the problem is human behavior. It's common for people to use the same IDs and passwords at multiple places. Many gamers covet their gamer tags, which hold special meaning to them and may be used to identify them on services like Xbox Live and various forums around the web. You tell me, do you want to change your gamer tag because of PSN's network breach?
Another problem is more insidious. There are several eBay-like Black markets where hackers buy and sell credit cards and stolen identities. The more information that can be stolen, the better identity profiles can be created.
Of course, much depends on how the information was stolen from Sony. Is it in a raw form that isn't easily pulled together in meaningful way? If so, the hackers might have gotten more than they can realistically use, in which case the risk to you (and me) diminishes dramatically.
For now, Sony's problem is perception. How responsible will it be perceived handling the breach and did it act quickly enough to warn subscribers. Obviously, working with law enforcement, the company would want to do as thorough a forensic analysis of the breach as possible. Withholding information also keeps the hackers in the dark about what Sony and the cops really know. That's reason not to disclose more information right away.
But that doesn't make me feel any better about the likely breach of a PSN account that I rarely use.
Editor's Note: April 20 date corrected and PlayStation subscribers number updated to 77 million.