It looks like Sony has become the latest victim of a customer data security breach at it’s PlayStation Network. According to Which?, this leaves up to 77 million (yes, seventy-seven million) people vulnerable to fraud and identity theft.
An extract from the official communication from Sony reads:
“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.
While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
Wow. This is MAJOR. In my recent post, I covered data security breaches affecting the theft of email addresses. This episode moves us into a whole new league due to the scale, depth and wider implications for such a major, trusted brand as Sony to have been successfully targeted in this way:
Scale: With over 70M customers impacted (3M+ here in the UK, according to Financial Fraud Action UK), this has to be one of the biggest data security breaches of this kind to date. Sony is a household name, with the PlayStation at the heart of many a family’s entertainment.
Depth: The sheer depth of the data that appears to have been obtained is of huge concern. With the recent email data breaches, highly targeted Phishing scams were the main concern. It appears from the statement above that name, address, date of birth, password and potentially credit card data have been compromised. Bearing in mind many email Phishing scams are trying to obtain these very details, fraudsters with access to this data are able to gain a massive head start.
Wider implications: Another worrying implication to parents must be that dependent data is also affected, presumably meaning that the names, addresses, dates of birth and email addresses of countless children could also have been compromised?
There has been criticism in some sections of the media of how Sony have handled the communication to date. If they are to win back their customers’ trust, they need to do so with timely, open, and transparent communication that reassures those 70M+ people that they know what happened, why it happened, and tells them what steps they have taken to make sure it can never happen again.
But prevention is better than cure, and with mass data breaches such as this becoming a regular occurrence, legislation has to play a role in protecting our data. According to a report from the BBC, the Information Commissioner’s Office has the right to impose fines of up to £500K for breaches of UK data protection law, but only if the data was stored in the UK.
The need for global co-ordination of data protection legislation is growing, but will it ever be possible to stop such high-profile and large-scale attacks such as this through legislation? Should there be industry-wide minimum data security standards enforced by law? As consumers, how do we know who we can trust with our data?