PlayStation data breach deemed in 'top 5 ever'

By Emily Chung, CBC News

Posted: Apr 27, 2011 10:56 AM ET

Last Updated: Apr 27, 2011 7:05 PM ET

More than 75 million accounts worldwide, including more than one million in Canada, are registered with the network that suffered a massive data breach this week, Sony confirmed Wednesday. (Thomas Peter/Reuters)

Names, birthdates and some credit card data may have been stolen from users of Sony's PlayStation Network in what may be one of the biggest data breaches ever.

More than 75 million accounts worldwide, including more than one million in Canada, are registered with the network that suffered a massive data breach this week, Sony confirmed Wednesday.

The massive breach is one of the "top five ever," said Alan Paller, director of research for the SANS Institute, a cybersecurity training and research institution based in Bethesda, Md.

Big breaches

Some recent significant data breaches include:

2009: Albert Gonzalez pleads guilty in New York to stealing tens of millions of payment card numbers by breaking into corporate computer systems from businesses including payment card processor Heartland Payment Systems, TJX Company Inc, 7-Eleven Inc. and Target Co. dating back to 2005. TJX is the parent company of Winners and HomeSense in Canada. Transactions in Canada, the U.S. and Puerto Rico were affected.
2010 – 2011: A breach is discovered in the Texas state comptroller office computer server, which exposed the personal information of 3.5 million individuals for a year. Social Security numbers, names and mailing addresses as well as birth dates and driver's licence numbers were left exposed on beginning in January 2010.
April 2011: The Canadian government shuts down its online pay system for 320,000 employees after officials discovered the privacy of eight workers had been compromised when the system was pulled offline for repairs. Information about salary, bonuses, travel expenses and such was unavailable for two weeks.
April 2011: A data breach at Dallas, Tex.-based email marketer Epsilon affects customers of Air Miles, Best Buy Canada and Victoria, B.C.-based AbeBooks. Other companies affected included Capital One, Barclays Bank, U.S. Bancorp, JPMorgan Chase & Co. and Citigroup, along with hotel chain Marriott International Inc., Walt Disney Co.'s travel subsidiary Disney Destinations, TiVo Inc., Kroger Co. and Walgreen Co.

More than 70 per cent of PlayStation 3 video game consoles are connected to the PlayStation Network, which allows users to play online games, surf the web, chat with friends and download games and other content from the PlayStation store.

The breach also affects users of Sony's Qriocity service, which streams movies on demand to compatible Sony devices such as HDTVs and Blu-ray players for a monthly fee. The company said it could not provide user statistics for Qriocity.

Sony announced the data breach on its PlayStation blog Tuesday afternoon, six days after it shut down both services after learning of an "external intrusion" on April 19.

Tuesday's blog post detailed the personal information that it believes "an unauthorized person has obtained" from users:

Name, address (city, state, postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.
Possibly other profile data, including purchase history and billing address (city, state, postal code), and the subscriber's PlayStation Network/Qriocity password security answers. The same data with respect to a dependent may also have been obtained. If an account holder provided credit card data, the credit card number (excluding security code) and expiration date may also have been obtained.

The company said in a clarifying blog late Tuesday that it did not inform users of the breach earlier because it took until Monday "to understand the scope of the breach" following several days of forensic analysis by outside experts.

Meanwhile, the Office of Canada's Privacy Commissioner, Jennifer Stoddart, is seeking information from Sony about the breach.

"We are currently looking into this matter and are seeking information from Sony," said a statement from her office Wednesday.

The statement said Sony did not notify the office of the breach.

The United Kingdom's Information Commissioner, who enforces the country's Data Protection Act, has told the London-based Telegraph newspaper that he is also contacting Sony to learn more about the incident.

'Perfect targeting mechanism'

Paller said the breach is particularly dangerous to users because of the valuable information contained in the billing data about users' behaviour and preferences, which can be used to craft personalized scams.

'It's not clear to me why on earth you would want anyone's physical address as part of being able to play on the PlayStation.'— David Skillicorn, Queen's University

"It's extremely dangerous because it's a perfect … targeting mechanism for targeted phishing."

The data may be used to contact users and sell them what appears to be a new game, an update to a game or a trick in a game, Paller said.

"The big money in organized crime is still in those scams," he added. "They work extremely well when they're designed for you."

He added that people behave unusually cautiously for less than 90 days after an incident like this, and criminals will likely target victims multiple times over a long period.

Nicolas Christin, associate director of the information networking institute at Carnegie Mellon University, suggested that PlayStation Network users contact their credit card companies because they would do that if they left their credit card in a public place.

At least one question in Sony's FAQ about the breach suggests that some of the data may be used to extract more personal information: "I got an email from you asking for my PSN/Qriocity sign-in ID and password. Is it really you asking for this information?"

Sony said it will never contact users by email asking for their credit card number, Social Security number or other personally identifiable information.

Too much personal data?

David Skillicorn, a Queen's University computer science professor who researches cybersecurity, said the large number of users affected means individuals are unlikely to be targeted by identity-based scams, other than ones that are email-based.

"Your chance of being the few hundred people out of the 77 million that they picked are pretty slim."

He said Sony's problem is the much bigger one: "It will take them a long time to get the trust back."

Neither Skillicorn nor Christin think there is anything users could have done to protect themselves, although Skillicorn questioned why Sony collected so much personal information in the first place.

"It's not clear to me why on earth you would want anyone's physical address as part of being able to play on the PlayStation."

Paller said gaming and social networking sites are particularly vulnerable to attacks like this because they are:

Open, allowing almost anyone to join, as that is part of their business model.
Constantly doing new things because that's their survival strategy, and the new computer code that allows them to do that tends to have flaws.

However, all three cybersecurity researchers said there were likely things Sony could have done to reduce the risk of this kind of breach.

"There must have had some problem they didn't deal with," Skillicorn said.

Christin said it appears Sony likely did not partition its network to reduce the chance that the entire network would be affected if one part was compromised.

Paller believes encrypting or geographically separating data isn't an effective defence. He recommends instead that companies require their developers to use secure coding techniques, which are not widely taught.

However, Christin noted that Sony has so far been very reluctant to release much information and he hopes the company will be more forthcoming.

"If the companies are not co-operating by not disclosing what happened, then we cannot learn anything and we are bound to repeat the same mistakes."

Stay Connected with CBC News

Big Box Advertisement

Top News Headlines

2nd suspect named in Tim Bosma slaying: The second suspect arrested in the Tim Bosma slaying has been identified as Mark Smich, 25, of Oakville, Ont., Supt. Dan Kinsella of Hamilton police announced Wednesday afternoon. more »

Harper 'not consulted' about Duffy Senate expense repayment: Prime Minister Stephen Harper says that not only did he not know about his chief of staff's "gift" to repay Senator Mike Duffy's expenses before the story broke in the media, he was not consulted and did not sign off on Nigel Wright's decision to write a personal cheque. more »
2 infants confirmed among dead of Oklahoma tornado: Rescue workers raced to complete the search for survivors and the dead in the Oklahoma City suburb where a mammoth tornado destroyed countless homes, cleared lots down to bare red earth and claimed 24 lives, including those of 10 children. more »
'You will see him again in heaven,' Sharlene Bosma tells daughter: Sharlene Bosma told more than 1,000 people at the public memorial service for her slain husband, Tim Bosma, about the love they shared. more »
Mayor Ford stays silent while his brother defends him: Toronto Mayor Rob Ford continues to stonewall the media over allegations that he was recorded on video smoking what appears to be crack cocaine, but his brother Coun. Doug Ford told reporters Wednesday that the story is untrue. more »

Must Watch

Latest Business Headlines

Real estate site Zoocasa adds MLS listings, agent recommendations

Real estate site Zoocasa adds MLS listings, agent recommendations: Zoocasa, an upstart real estate company owned by Rogers, has launched a revamped website that aims to compete with Realtor.ca by presenting MLS listings in a more user-friendly format and connecting clients with realtors from major agencies. more »

U.S. Republicans aim to take hold of Keystone XL decision: The American political brawl over the approval of TransCanada's proposed Keystone XL pipeline shifted into overdrive on Wednesday as Republicans in the House of Representatives made yet another attempt to take the decision out of U.S. President Barack Obama's hands. more »
Cooling housing market will cost us 150,000 jobs, mortgage group warns: The government's effots to cool the housing market will have a negative impact on the economy and the range of industries that depend on house sales — everything from mortgage financing to furniture and appliance sales — the group that represents the mortgage industry says. more »
German software firm SAP plans to hire hundreds with autism: German software firm SAP says it wants to hire hundreds of people with autism to work as programmers and testers for its products. more »
Bernanke cautious about removing stimulus: U.S. Federal Reserve chairman Ben Bernanke told lawmakers Wednesday that the country's job market and economy are too weak to consider ending the central bank's extraordinary stimulus programs. more »

More Headlines »

Lang & O'Leary Exchange

Markets

TSX COMPOSITE

Rotate stock indices Pause stock rotation Show previous stock PLAY

May 23, 2013 12:00 AM ET May 23, 2013 12:00 AM ET May 23, 2013 12:00 AM ET May 23, 2013 12:00 AM ET May 23, 2013 12:00 AM ET

Index	Last Trade	Change
TSX COMPOSITE	12752.50	10.07
DOW	15307.17	-80.41
NASDAQ	3463.30	-38.82
SP 500	1655.35	-13.81
TSX-VENTURE	942.08	2.67

The data on this site is informational only and may be delayed; it is not intended as trading or investment advice and you should not rely on it as such.