The recent attack on Sony's PlayStation Network and Qriocity services may force companies to treat the personal information of its users with as much seriousness as they do credit card information..
Beth Jones, a Senior Threat Researcher at Sophos Labs, says that the recent breach of Sony's PlayStation Network may have ripple effects on regulatory control of American consumers' personal information. The PlayStation Network was hacked last week, and Sony had to admit that users' personal details, such as email addresses, passwords and phone numbers, may have been taken. The haul of data was huge -- 77 million people use the PSN.
Credit data is governed by the Payment Card Industry Data Security Standard, established in 2006. Under the standard, companies that process credit card data are must comply with a set of requirements meant to prevent data theft and fraud. I'm wondering if the regulatory authorities will extend PCS compliancy to other information, Jones said.
One requirement is that companies must protect any credit card data stored internally and must encrypt any data transferred via public networks. While Sony did encrypt password data, that may have not been able to prevent the intruders from gaining access to other pieces of user information.
While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility, Sony said. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained, the company said on the PlayStation blog.
Jones noted that having access to a database of credit card numbers doesn't mean a hacker can actually read them. If they got the credit card info, it could take more time an effort then they willing they are willing to put in in order to gain access to it, she said. the encryption on the card numbers is usually more sophisticated than that on passwords.
But while it is unclear the hackers were able to get the credit card information directly, there is no question that they had access to the users' personal details. The sheer amount of data stolen is enough that it renders almost insignificant the possibility that the hacker did not gain access to credit card information.
Jones says it is possible -- even probable -- that with just a user's email address and name, a hacker could concoct a convincing enough phishing scheme to scam users out of countless other bits of information -- including their credit card numbers. They could do plenty with just a password, she said.
Access to a user's password would essentially give a hacker unimpeded access to any of the information listed in a user's account. Considering that many internet users recycle their passwords on multiple websites, having one password could effectively give criminals access to many more accounts.
Because of this vulnerability, Jones foresees a time when government agencies will step in and force companies to protect user information with the same level of security as they do with financial information. The Payment Card Industry Data Security Standard only sets requirements for credit card information and no equivalent system exists for passwords and email addresses. This clearly played a role in Sony's breach.
The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack, Sony said in a statement.
Sony, like other companies who have suffered security breaches, had full faith in the strength of its security. But faith was not enough. For the most part, it's just a case of not wanting to take the time or resources to encrypt the data, Jones said, noting that for companies like Sony, basic security measures are often enough of a defense to protect user information. That wasn't the case this week.
Criticisms of Sony's handling of the attack extend beyond security. One of the most frequent is that the company took too long to inform consumers as to what had actually happened. Sony has noted that it took the company and its hired experts days to figure out the full scope of the breach. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach, said Nick Caplin, Head of Communications for Sony Europe. We then shared that information with our consumers and announced it publicly.
One salvo was fired by the hacker George Hotz, who was sued by Sony earlier this year for modifying his PlayStation console. On his blog, he speculated that the problem is that Sony's systems trust the PlayStation 3 console, and as a result anyone who had the technical knowledge could use that as a way into the system. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client, he wrote.
Even Hotz, though, said he was sympathetic to Sony in this case. Let's not fault the Sony engineers for this... The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts.
Despite the company's investigations, Jones doesn't believe the full extent of the hacking will ever be known to the company. Sony will probably never fully understand the entire scope of the breach. Forensics can take a long time, she said.
For now, Sony is focused not only on getting its services back up, but recovering the trust of its customers. Jones, however, doesn't think it will be a big issue. It is going to be a definite public relations challenge for them to regain consumer trust. But as we we've seen from previous breeches, customers have a pretty short attention span, she said.