http://uk.ps3.ign.com/articles/116/1164392p1.html
"We brought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers. We are hopeful that Sony will take this opportunity to learn from the network vulnerabilities, provide a remedy to consumers who entrusted their sensitive data to Sony, and lead the way in data security best practices going forward," said Ira P. Rothken an attorney who filed the class action complaint.
"Sony's breach of its customers' trust is staggering. Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't," commented J.R. Parker, co-counsel in the case.
It does seem high but it's just taking the number of PSN accounts and multiplying it $318. Now there are probably a ton of dummy and duplicate accounts. Add in with those that don't have a CC number associate with their PSN account and the number is easily much lower.Originally Posted by JD
New FAQ:
Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.
Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.
Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “[email protected]” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.
Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.
Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.
Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.
Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.
Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.
They are moving the network infrastructure and data center to a new, more secure location? I wouldn't have expected that a breach like this was related in any way to location. Anyone familiar with data centers like this care to comment on what that might mean?
So, NO.Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Perhaps this suggests that whatever attack came from something or someone with physical access to their servers .
No, but encrypting that data isn't required so why spend the money on it? I doubt any company holding your name and address is encrypting it, it's all handled via access controls.
I think the motivation for heightened server security is that, well, Sony just doesn't know. They don't know who is responsible, they don't know what was seen, or how they got access. They have an idea of what was seen, but have no way of knowing if that's all that was seen. That's the worst part of any attack -- why getting hacked is so expensive. Because you need to scour your system, even the spots that weren't touched.
Maybe it was some security guard at the NOC who rifled through a trash bin and found a password and sold it to a Ukrainian hacker over the internet. Who knows. But they have to move operations now, because they're can't know for sure.
I'm just glad I never gave PSN my credit card.
I'm pretty sure they've always maintained this was an "external" event, though. On the other hand, it could have been externally implemented with the knowledge/assistance of someone who had physical access. That sounds plausible.
Still, a data center of the size/complexity that must be would be huge to just up and move on short notice I'd think. That's a pretty major undertaking unless the breach permanently compromised physical security; otherwise, you'd expect they'd do that sort of move quietly after things have settled down a bit.
Yeah, it's possible that they haven't ruled out the possibility of direct access yet - either way, it's also them saying: "We know we fucked up, and now we're trying to do what's humanly possible to change the current situation." It's part of the 'atonement', if you will.
It's possible that they're moving locations because the current one is going to remain tied up in forensics for a while, and the "more secure" is just meaningless assuagement because they don't want to get bogged down in the details of why.
Not sure we can trust what the Pokémon institute states though. 24b is a bit steep, but its better to overstate it, so they can get more in any pending lawsuits.
So I was going to get a new bank card sent when it occurred to me I should check... and sure enough, the one and only transaction I've made on PSN was from 2009, using a debit card that was replaced last year anyway. By failing to provide compelling content, Sony was protecting me all along!
It all makes sense now!
Sure, but given how they explicitly break out the credit card stuff to say it was encrypted, but don't say anything similar about passwords and security questions, I almost have to believe they're including that as "personal data."
I'm also amazed by the datacenter moving thing. They can't seriously think that was the issue, if they're releasing a new firmware and new SDK (which implies they had some pretty baked-in shitty security); and yet as someone who's been through an enterprise datacenter move (on what has to be a smaller scale than PSN), I know that's not something you do AT ALL lightly without typically months of planning, so they wouldn't be doing it if they didn't have a really compelling reason to do so. Very strange.
The more that comes out about this, the worse it looks for Sony. I think maybe it's time for them to admit that they just plain suck at software and services, and give the whole thing up as a bad experiment.
I suppose for gamers, having PS3 and XBOX (And the Wii/2) work on the same network would be preferable - if only so you could ignore more tards with noisy microphones. Probably make it easier to develop for as well? At least Steam is cross-platform now, so there's that. And GFW/XBL did have that one game that sort of worked for both platforms.
Wouldn't mind seeing some Sony UI influence on XBL though.
-
I wonder which effects this will have on the PS3 scene though, in terms of development efforts vs. Sony trying to kill them all.
Yeah, that would be my interpretation. After all, the login data was already lumped together with the other pieces (email, birthday, etc.) in their first confirmation of the breach.Sure, but given how they explicitly break out the credit card stuff to say it was encrypted, but don't say anything similar about passwords and security questions, I almost have to believe they're including that as "personal data."
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
DOES NOT COMPUTE
Please no.
Please please please no.
Sure it does. [offtopic]
XBL is using too much screen real estate for "fluff" and it feels slow whereas the Sony dashboard is slicker and faster moving and more minimalistic. I think 1UP did some mockups of how they wanted the UIs to be last year... or was it the year before - some good ideas there regardless.
It can be summed up into - I want to see more, and do things faster.
The dashboard is ugly and a real horror to navigate, certainly. I mean, why would someone think it's clever to have your selection on the left at all times, meaning you can't see what is beyond it (but can see a lot of the stuff on the right)?
Not that Sony's is much better...
Yeah, it seems a bit high. The real costs will be very hard to put a figure to.
There's the actual cost Sony is bearing right now in rebuilding and securing their network. Millions, even tens of millions, but probably not billions.
There's the legal cost - fighting suits in court, settlements, etc. If a large class-action is brought about and won, and punitive damages are awarded rather than just the actual cost lost to each customer, that could be several billion dollars, easy. When you have tens of millions of customers, even a "modest" settlement of $100 for half the PSN members would be almost $4B.
Then there are un-quantifiable costs. Does this black eye stop some people from buying a PS3 or PSP? Will it affect the launch of the NGP? Publishers must be pissed - nobody can buy games on PSN and nobody can play Call of Duty or whatever, so it's hurting sales. Will that have an impact on what future games are willing to be PS3 exclusives, or even cross-platform? In other words, there's a financial impact to Sony from lost confidence, bad publicity, and publisher relations that is hard to put a figure on.
Someone on Facebook claimed their GT5 trophies were stolen. Is that even possible? I don't have a PS, so I'm pretty clueless. I would have assumed those work like achievements linked to an account. So a hacker could have deleted those, but actually stolen?
In three months, people will have another scandal to froth about and scream bloody murder on, and no-one will remember(or care about) this.
The mob is fickle...
Agreed- love the PS3 interface.
I finally got that warning e-mail... on my fake US account. My fake British account and my genuine German account still weren't notified. Apparently sending mass e-mails is hard. Maybe Sony should ask a Nigerian spammer how that works.
Apparently they inform US customers first and worry about old and slow Europe later...
For the people relieved that they didn't have a credit card on file with Sony: Stolen credit card details are possibly the least worrying thing about this, between cancelled cards and your bank's anti-fraud measures it's unlikely that you'd be out financially even if someone did have access to your details. You'd certainly suffer some inconvenience but likely no direct financial hit.
The biggest issue is all the other information that they've taken. Your PSN username, password, email address alone are huge, other identity confirming stuff like address, phone number and secret question answers are just gravy. There's a good chance that a not-insignificant portion of the PSN userbase uses the same password everywhere and has the same online handle in other services. Why steal your credit card info when they can access your online banking and order a new card or take out a loan that you don't even know about? Or get your Steam account? Or log into your Amazon account and buy stuff with your saved details there?
I still think this is way out of proportion - As for online banking... Seriously, no bank I know off uses just a password and a secret question to login anymore. There's other codes, or even special encrypted data on the machine logging in.
There is no way in hell anyone can log in to my bank account, unless they have what corresponds to a codewheel I have physically at home. So, unless the hacker take it to the next level, and start burglaring me (And tons of other users), there is no immense threat looming.
Pure nonsense.
Pure nonsense. How would they know? PSN is down and no one can log in.
Yes, people will have to react basically the same way they did after the Gawker breach. Change any common passwords and use this as an opportunity to adopt more secure practices in your own life. If you have managed to re-secure your email and any other impacted accounts or services, basically you are now just being inconvenienced by PSN's continued downtime. You are well shielded against any financial impact. It's a bummer, but this hasn't been nearly as catostrophic as the panicked coverage would have you believe.
Posting Permissions
Reply With Quote