The Sony PlayStation Network breach: An identity-theft bonanza

Sony acknowledges credit cards details may have been stolen in data breach

The massive Sony PlayStation Network data breach that exposed personal and password information -- and possibly credit cards -- of an estimated 77 million people is an identity-theft bonanza.

"This is a gold mine to break into other accounts," says Rod Rasmussen, president and chief technology officer at Internet Identity, a technology and services provider that helps guard against corporate brand-name damage and data loss on the Internet. He says the mountain of customer information gained by the Sony PlayStation Network attacker will facilitate email phishing attacks as well as attempts to break into other types of accounts, since people often use the same passwords for their various accounts. He urges anyone impacted by the Sony PlayStation Network breach to change any similar password they use elsewhere.

MORE ON SONY BREACH: Sony PlayStation personal user data stolen | Your FAQs answered

Sony Computer Entertainment and Sony Network Entertainment yesterday acknowledged that an "unauthorized person" has stolen the following kinds of information that was provided by its by PlayStation and Qriocity customers: "Name, address, country, email, address, birth date, PlayStation Network/Qriocity password and login and handle/PSN online ID." Sony took its PlayStation Network offline last week and yesterday disclosed what it knows so far about the massive breach.

The Sony division said sub-accounts for dependents were also compromised, adding, "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit-card data through PlayStation Network or Qriocity, out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration data may have been obtained."

Information being quietly shared by companies under contract to Sony suggest that there was a massive denial-of-service attack against the Sony network right before the actual network break-in when the data was stolen, says Paul Henry, security and forensics analyst at Lumension.

Although the vigilante hacker group Anonymous is denying involvement, Henry says nothing can be ruled out right now. Anonymous had been in a sort of feud with Sony due to the company's lawsuit against a hacker who had released code to make it possible to run homemade games on PlayStation 3 as well as pirated software.

But PlayStation users need to be aware that the massive haul of their personal data means "everything is there for full-blown identity theft, except the Social Security numbers," Henry emphasizes.

Henry predicts there will likely be phishing campaigns by the attackers -- or whoever buys the stolen personal information from the attackers -- to try to get those Social Security numbers. With Social Security numbers, it's not hard to commit financial fraud related to loans or new credit cards, for instance. Henry urges PlayStation victims to contact the three credit-reporting agencies to put a "credit alert" on their accounts so that "no credit can be established without your notification and consent."

In its own advisory yesterday, Sony mentioned the three U.S. credit bureaus -- Experian, Equifax and Transunion -- but urged some caution in using this "fraud alert" mechanism.

"This service can make it more difficult for someone to get credit in your name," Sony Computer Entertainment and Sony Network Entertainment said in its statement yesterday. "Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file."

The massive cache of personal information pulled out by the attackers is likely to be sold off online while it's fresh, Henry points out. "Typically, it's sold in bulk," he notes. "If they're after credit cards, they'll buy goods and have them shipped to their address."

There have been so many data breaches in the past few years, however, that prices for stolen information has fallen. A few years ago you could get $12 per record but today it's no more than 50 cents, Henry says.

Since many types of financial and other online accounts seem to ask similar questions for security purposes -- such as provide your mother's maiden name or list the school you went to -- Henry suggests it's not a bad idea to simply start lying about all those things so that changing them is possible when there's a data breach like this.

"Make up answers to these questions and keep track of your answers," he says.

Since Sony's division suggests credit cards may have been stolen by the attackers as well during the break-in, this raises questions about whether Sony is compliant with the Payment Card Industry (PCI) data-security rules.

Although Sony's division had no immediate response to the question about whether the Sony division is PCI compliant or holds payment-card data in a secure way demanded under the PCI standards, it can be expected that this issue will be looked at in future days by the banks, Visa, MasterCard and others as more about the massive data breach comes to light.

"A lot of websites out there don't want to deal with being PCI-compliant so they contract with third-party companies to clear credit cards," Henry says. He suggests whatever the case, the credit card numbers Sony has been given by its customers should have been held in encrypted form. "It certainly looks like there's a large liability on Sony right now," he concludes.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Sony Computer Entertainmentsecuritydata breachlegalsonyIdentity fraud / theftcybercrime

More about Epsilon InteractiveEquifaxetworkLANLumensionSonySony Computer EntertainmentVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts