PlayStation Network security breach: A survival guide

If you're a registered PSN user, the implications of the breach for you and your online information is serious.

Sony has admitted that account details, logins and online IDs for registered Sony PlayStation Network users, as many as 77 million people, have been compromised. The information was stolen sometime between April 17 and 19, according to a Sony blog post, as early as nine days before Sony notified its users of the breach. Even worse, the company says it can't be sure whether credit card information was stolen.

The admission came nearly a week after Sony pulled the plug on PSN and its Qriocity music service, blaming the outage on an "external intrusion" into Sony's network. Sony says that it is rebuilding the PSN and Qriocity server system with improved security. Both services are expected to be operational within the next week.

Sony has quite the security disaster on its hands, and the fact that it took the company almost 10 days to figure out and then admit that user data had been stolen is troubling to say the least. If you're a registered PSN user, the implications for you and your online information is quite serious. Here's what you need to know:

What the bad guys know about you

Sony said the following user information was compromised: your name, address (city, state, zip), country, e-mail address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID.

It's also possible, according to Sony, that hackers obtained your PSN purchase history, billing address (city, state, zip), and password security answers.

If that wasn't bad enough, it's also possible your credit card information was stolen, including your card number and expiration date. "While there is no evidence at this time that credit card data was taken," Sony said, "we cannot rule out the possibility." Your credit card's security code (typically a three-digit number on the back of your card) was not compromised, according to Sony.

Your kids' account is compromised, too

Sony also warns that if you have a sub-account for a minor attached to your PSN credentials, that account is probably toast as well.

What to do

There are several measures you should take to ensure the integrity of your data. First, considering how long it took Sony to warn its users, it's probably best to assume that all of your information needs to be changed as soon as possible. This isn't meant as a scare tactic, but the fact that hackers may have obtained your PSN data nearly 10 days ago means they have a huge head start on using that data for malicious purposes.

Sony is also warning users to be wary of people calling or e-mailing you for extra information such as your Social Security number or other personal information. Sony says it will never call you asking you to verify your information. You should also be wary of people claiming to be from other companies or services looking to verify your personal data.

Watch those credit cards

Next, you'll want to decide what measures you want to take to secure your credit card information. You can either monitor your card for suspicious activity, or, if you can manage without your card for a few days, you may want to consider canceling it and getting a new one.

Sony also advises that you may want to place a fraud alert on your credit record with the three major U.S. credit bureaus. This will make it harder for someone to open a new credit card in your name (remember they may have your name, billing address and birth date). To find out how to contact the credit bureaus see Sony's blog post.

Also, check out the Federal Trade Commission's website for advice on what to do if you've been hit by identity theft.

Review your online accounts

Next, you'll want to review your online passwords to see whether you are using the same password and login ID across multiple accounts. If, for example, your PSN and e-mail logins are the same, change your e-mail address password immediately.

Many people often use one difficult password across multiple online accounts, because it's easier to memorize just one set of credentials. If that sounds like you, I highly recommend you try a password manager such as LastPass (my personal preference) or KeePass. That way you can use as many difficult passwords as you want without having to memorize all of them. If you use multiple devices during the day such as a laptop, desktop, tablet (iPad or Xoom) and smartphone, you may want to look for a password manager that has software available on all the platforms you use.

For more information on password best practices check out PCWorld's "How To Protect Your Online Passwords."

Consider two-factor authentication

For an added dose of security, you can also use two-factor authentication on accounts that support them. Two-factor authentication basically means your account requires a randomly generated password in addition to your regular password before you can access your account. The second password is usually generated by an extra piece of software, authenticated by you, on a keychain dongle or smartphone app. This makes it harder for hackers to break into your online accounts.

Google recently released two-factor authentication for Google accounts, and Facebook has announced that it intends to roll out the security feature to users. Symantec also provides a free two-factor authentication service called VeriSign VIP Access for Mobile. You can find out more about Symantec's service here, including which websites support it.

When PSN comes back

Sony hasn't detailed if it will require extra authentication steps from you the first time you login to PSN after it comes back online. But make sure that you login as soon as the service becomes available and change your password.

When security breaches like this happen, it's best to play it safe and take precautions to safeguard your data in case it has fallen into the wrong hands. And if nothing bad happens to you, at least you took the time to review your online security management practices, which is never a bad thing to do from time to time.

Connect with Ian Paul ( @ianpaul ) and Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityhackersplaystationfirewallsnetwork securitysecuritysony

More about etworkFacebookFederal Trade CommissionGoogleSonySymantecVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place