Category Archives: Data security

PLAY AGAIN? Will SONY win back customer trust following data breach?

Logo of the PlayStation Network

Image via Wikipedia

It looks like Sony has become the latest victim of a customer data security breach at it’s PlayStation Network. According to Which?, this leaves up to 77 million (yes, seventy-seven million) people vulnerable to fraud and identity theft. 

An extract from the official communication from Sony reads:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”

Wow. This is MAJOR. In my recent post, I covered data security breaches affecting the theft of email addresses. This episode moves us into a whole new league due to the scale, depth and wider implications for such a major, trusted brand as Sony to have been successfully targeted in this way:

Scale: With over 70M customers impacted (3M+ here in the UK, according to Financial Fraud Action UK), this has to be one of the biggest data security breaches of this kind to date. Sony is a household name, with the PlayStation at the heart of many a family’s entertainment.

Depth: The sheer depth of the data that appears to have been obtained is of huge concern. With the recent email data breaches, highly targeted Phishing scams were the main concern. It appears from the statement above that name, address, date of birth, password and potentially credit card data have been compromised. Bearing in mind many email Phishing scams are trying to obtain these very details, fraudsters with access to this data are able to gain a massive head start.

Wider implications: Another worrying implication to parents must be that dependent data is also affected, presumably meaning that the names, addresses, dates of birth and email addresses of countless children could also have been compromised?

What next?

There has been criticism in some sections of the media of how Sony have handled the communication to date. If they are to win back their customers’ trust, they need to do so with timely, open, and transparent communication that reassures those 70M+ people that they know what happened, why it happened, and tells them what steps they have taken to make sure it can never happen again.

But prevention is better than cure, and with mass data breaches such as this becoming a regular occurrence, legislation has to play a role in protecting our data. According to a report from the BBC, the Information Commissioner’s Office has the right to impose fines of up to £500K for breaches of UK data protection law, but only if the data was stored in the UK. 

The need for global co-ordination of data protection legislation is growing, but will it ever be possible to stop such high-profile and large-scale attacks such as this through legislation? Should there be industry-wide  minimum data security standards enforced by law? As consumers, how do we know who we can trust with our data?

Advertisements

Email data breaches: where will it end?

Following my earlier post on the two email security breaches at trusted brands that have my email address data, it seems that bad news really does come in threes. McKinsey Quarterly is the latest to write to me over the weekend to tell me about my name and email address becoming “exposed”. 

Here’s the email I received:

 Important information from McKinsey Quarterly

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

If you have any questions or concerns, please contact McKinsey Quarterly at info@mckinseyquarterly.com. For any media inquiries, please contact Humphrey Rolleston at +1-212-415-5321.

Sincerely,

Rik Kirkland
Senior Managing Editor
McKinsey & Company

How can businesses make this bad news land better?

As discussed in my previous post, businesses need to be open, honest and complete from the outset. Customers have the right to know EXACTLY what happened to their data, why it happened, and to be told what steps have been taken to ensure that the risk of it happening again has been minimised.

And when they do so, please use plain English- “Exposed by unauthorised entry” means nothing, and gives me no confidence that this can’t happen again:

  • Did a rogue employee leave a USB stick on the bus? If so, tell me.
  • Did someone hack into your systems? If so, tell me.
  • Have law enforcement been informed? If so/not, why?
  • And most importantly, what are you doing to make sure the chances of this happening again have been mitigated? 

Where will this end?

If these high-profile ‘breaches’, ‘exposures’ and ‘compromises’ continue, then the foundation of permission-based marketing will be rapidly eroded- trust.

I trust brands to look after my data responsibly. I hold them accountable for keeping this safe, including any arrangement they have with any 3rd party supplier. So when something goes wrong, don’t I have the right to be reassured that it won’t happen again? If not legislatively, then morally?

“Trust is like a vase…once it’s broken, though you can fix it, the vase will never be the same again”

(Author unknown)

Guess what happened to your email data?

Information security has been high on the agenda over the last week or so, following two high-profile data protection breaches by established and trusted online brands. Last Monday 21st March at 23.04, I received the following email from PLAY.COM

Dear Customer,

Email Security Message
 
We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.
 
We take privacy and security very seriously and ensure all sensitive customer data is protected.  Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved. 
 
Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.
 
Customer Advice
 
Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.
 
Thank you for continuing to shop at Play.com and we look forward to serving you in the future.
 
Play.com Customer Service Team

Apart from the obvious data security concern, two things immediately made me uncomfortable about this as a piece of crisis communication:

  1. the lack of detail: ‘a company’, ‘part of’ and ‘marketing communications’ are all a little vague, to say the least 
  2. too much jargon: what exactly do they mean by ‘breach’ and ‘compromised’? Tell me what happened to my data!

As a result, I’m thinking, “there’s something more to it than this”. I was pretty angry at the lack of detail and the general tone. Maybe I wasn’t the only one, as this follow-up note arrived less than 24 hours later on Tuesday 22nd March at 21.31:

Dear Customer,

As a follow up to the email we sent you last night, I would like to give you some further details. On Sunday the 20th of March some customers reported receiving a spam email to email addresses they only use for Play.com. We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. 

We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses.  Play.com have taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue . 

Best regards,

John

John Perkins
CEO
Play.com

What a difference a day makes, 24 little hours…but it leaves me asking the question, ‘Why couldn’t you tell me this yesterday?’. In any form of crisis communication, it’s vital to get all of the known facts out up front, immediately after the apology. Holding back some important facts for 24 hours just fills me with suspicion.

How they should have handled it

Overall, it looks like it was a bad week for email data security and I also had the following note from the folks at TripAdvisor.com. However, you can immediately see the difference in quality of their approach…

To our travel community:

This past weekend we discovered that an unauthorised third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologise for this incident and appreciate your membership in our travel community.

Steve Kaufer

Co-founder and CEO

More information

Although this is far from ideal, I find myself congratulating TripAdvisor in the way this communication was handled, especially as it demonstrates why play.com got it so wrong:

  1. They provided the facts, in plain English, up front. An email list had been stolen. Not a ‘breach’ nor ‘compromise’ in sight.
  2. It had a tone that empathised with how I might feel and contained clear information and guidance on how it might affect me
  3. There was a link to further information

Congratulations TripAdvisor. They have demonstrated that it is still possible to deliver bad news in a positive, professional and reassuring way, without keeping me guessing. 

I hope play.com take heed.