Sony Online Entertainment went temporarily offline Monday after it was discovered that they also lost customer records in a hack that attacked the PlayStation Network. In this latest string of video game and entertainment related information loss, it continues to send ripples through consumer awareness of how vulnerable their information can be online.
The initial breach occurred between April 17 and 19 and it took Sony over a week to warn its almost 77 million users about it. CNet News is reporting right now that Sony is offering to compensate customers who have suffered financial losses (due to credit card reactivation.) However, the revelation of the discovery of the loss from their entertainment branch comes right on the heels of their preparation to restore the PlayStation Network (which they had also taken down due to the previous breach.)
Wired reports on the new depth of intrusion as it affects SOE:
Sony said that the compromised personal information includes customers’ names, addresses, e-mail addresses, birth dates, gender, phone numbers, logins and hashed passwords.
Also at risk are the credit card numbers and expiration dates of 12,700 non-U.S. customers, plus 10,700 direct debit records from customers in Austria, Germany, Netherlands and Spain, containing bank-account numbers, customers’ names and addresses. This information was stored in what Sony said was an “outdated database from 2007.”
Hackers may have had this information for more than two weeks now. The intrusion occurred April 16 and 17, Sony said.
Sony was also quick to point out that there is no evidence that their main credit card database had been compromised as it was stored in a newer and more sophisticated environment.
This portion of the breach may explain why Sony believed that PSN credit card information has remained safe (and said as much to its customers) while personal information and passwords had been hacked; but customers were contacting sites such as Ars Technica with what they believed to be PSN-related credit fraud.
It may take more than a week to get the PlayStation Network back up and running again—although Sony announced that they would be returning certain services possibly earlier—but the new revelation of losses from SOE may change that timetable. Sony did not mention when SOE would be reactivated.
Sony expects to compensate PSN customers with 30 days of PlayStation Plus service and SOE costumers with 30 extra days of subscriber time, plus an extra day for each additional day that it remains down.
With the rise of personal and financial data being tied to people and traded as secrets with corporations for subscription services, it leaves customers open to credit identity theft. Reports of data breaches are pretty common nowadays and as much as they affect large financial institutions like Visa and MasterCard, they also affect everyday customers.
Perhaps it’s time that we rethink the way that subscription services work.
If transaction institutions such as Visa and MasterCard would instead develop one-time subscription contracts that use a credit-card as an initial authenticator, it would make breaches like this much less damaging to users. It wouldn’t save people from having personally identifying information stolen (that may be inescapable) but it could save their credit card information and/or personal account information from being pilfered. If subscription contracts worked between the financial institution and the subscription service with the consumer validating the contract, it would mean the hackers could only see and affect the subscription—meaning they couldn’t then run off and drain a bank account or a credit card with frivolous purchases because the contract would only enable Sony to interact with Visa.
Much in the same way that Sony believes that their primary credit card database hasn’t been breached, if services only walled off their transactions it would reduce the total damage an attacker could do. With lax security at both the consumer level and extremely lucrative databases with customer information within the institutional strata, we will only see a rise in cybercriminals trying to get their hands on it.