PlayStation data breach deemed in 'top 5 ever'

Names, birthdates and some credit card data may have been stolen from more than 75 million users of Sony's PlayStation Network in what may be one of the biggest data breaches ever.

Names, birthdates and some credit card data may have been stolen from users of Sony's PlayStation Network in what may be one of the biggest data breaches ever.

More than 75 million accounts worldwide, including more than one million in Canada, are registered with the network that suffered a massive data breach this week, Sony confirmed Wednesday.

The massive breach is one of the "top five ever," said Alan Paller, director of research for the SANS Institute, a cybersecurity training and research institution based in Bethesda, Md.

Big breaches

Some recent significant data breaches include:

  • 2009: Albert Gonzalez pleads guilty in New York to  stealing tens of millions of payment card numbers by breaking into corporate computer systems from businesses including payment card processor Heartland Payment Systems, TJX Company Inc, 7-Eleven Inc. and Target Co. dating back to 2005. TJX is the parent company of Winners and HomeSense in Canada. Transactions in Canada, the U.S. and Puerto Rico were affected.
  • 2010 – 2011:  A breach is discovered in the Texas state comptroller office computer server, which exposed the personal information of 3.5 million individuals for a year. Social Security numbers, names and mailing addresses as well as birth dates and driver's licence numbers were left exposed on beginning in January 2010.
  • April 2011:  The Canadian government  shuts down its online pay system for 320,000 employees after officials discovered the privacy of eight workers had been compromised when the system was pulled offline for repairs. Information about salary, bonuses, travel expenses and such was unavailable for two weeks.
  • April 2011:  A data breach at Dallas, Tex.-based  email marketer Epsilon affects customers of Air Miles, Best Buy Canada and Victoria, B.C.-based AbeBooks. Other companies affected included Capital One, Barclays Bank, U.S. Bancorp, JPMorgan Chase & Co. and Citigroup, along with hotel chain Marriott International Inc., Walt Disney Co.'s travel subsidiary Disney Destinations, TiVo Inc., Kroger Co. and Walgreen Co.

More than 70 per cent of PlayStation 3 video game consoles are connected to the PlayStation Network, which allows users to play online games, surf the web, chat with friends and download games and other content from the PlayStation store.

The breach also affects users of Sony's Qriocity service, which streams movies on demand to compatible Sony devices such as HDTVs and Blu-ray players for a monthly fee. The company said it could not provide user statistics for Qriocity.

Sony announced the data breach on its PlayStation blog Tuesday afternoon, six days after it shut down both services after learning of an "external intrusion" on April 19.

Tuesday's blog post detailed the personal information that it believes "an unauthorized person has obtained" from users:

  • Name, address (city, state, postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.
  • Possibly other profile data, including purchase history and billing address (city, state, postal code), and the subscriber's PlayStation Network/Qriocity password security answers. The same data with respect to a dependent may also have been obtained. If an account holder provided credit card data, the credit card number (excluding security code) and expiration date may also have been obtained.

The company said in a clarifying blog late Tuesday that it did not inform users of the breach earlier because it took until Monday "to understand the scope of the breach" following several days of forensic analysis by outside experts.

Meanwhile, the Office of Canada's Privacy Commissioner, Jennifer Stoddart, is seeking information from Sony about the breach.

"We are currently looking into this matter and are seeking information from Sony," said a statement from her office Wednesday.

The statement said Sony did not notify the office of the breach.

The United Kingdom's Information Commissioner, who enforces the country's Data Protection Act, has told the London-based Telegraph newspaper that he is also contacting Sony to learn more about the incident.

'Perfect targeting mechanism'

Paller said the breach is particularly dangerous to users because of the valuable information contained in the billing data about users' behaviour and preferences, which can be used to craft personalized scams.

'It's not clear to me why on earth you would want anyone's physical address as part of being able to play on the PlayStation.'— David Skillicorn, Queen's University

"It's extremely dangerous because it's a perfect … targeting mechanism for targeted phishing."

The data may be used to contact users and sell them what appears to be a new game, an update to a game or a trick in a game, Paller said. 

"The big money in organized crime is still in those scams," he added. "They work extremely well when they're designed for you."

He added that people behave unusually cautiously for less than 90 days after an incident like this, and criminals will likely target victims multiple times over a long period.

Nicolas Christin, associate director of the information networking institute at Carnegie Mellon University, suggested that PlayStation Network users contact their credit card companies because they would do that if they left their credit card in a public place.

At least one question in Sony's FAQ about the breach suggests that some of the data may be used to extract more personal information: "I got an email from you asking for my PSN/Qriocity sign-in ID and password. Is it really you asking for this information?"

Sony said it will never contact users by email asking for their credit card number, Social Security number or other personally identifiable information.

Too much personal data?

David Skillicorn, a Queen's University computer science professor who researches cybersecurity, said the large number of users affected means individuals are unlikely to be targeted by identity-based scams, other than ones that are email-based.

"Your chance of being the few hundred people out of the 77 million that they picked are pretty slim."

He said Sony's problem is the much bigger one: "It will take them a long time to get the trust back."

Neither Skillicorn nor Christin think there is anything users could have done to protect themselves, although Skillicorn questioned why Sony collected so much personal information in the first place.

"It's not clear to me why on earth you would want anyone's physical address as part of being able to play on the PlayStation."

Paller said gaming and social networking sites are particularly vulnerable to attacks like this because they are:

  • Open, allowing almost anyone to join, as that is part of their business model.
  • Constantly doing new things because that's their survival strategy, and the new computer code that allows them to do that tends to have flaws.

However, all three cybersecurity researchers said there were likely things Sony could have done to reduce the risk of this kind of breach.

"There must have had some problem they didn't deal with," Skillicorn said.

Christin said it appears Sony likely did not partition its network to reduce the chance that the entire network would be affected if one part was compromised.

Paller believes encrypting or geographically separating data isn't an effective defence. He recommends instead that companies require their developers to use secure coding techniques, which are not widely taught.

However, Christin noted that Sony has so far been very reluctant to release much information and he hopes the company will be more forthcoming.

"If the companies are not co-operating by not disclosing what happened, then we cannot learn anything and we are bound to repeat the same mistakes."