Last month, Sony announced that its' PlayStation online gaming network was victimized by a cyber hacker, who may have been able to gain access to the credit card information of 77 million users. Just last week, Sony said that the breach was worse than previously thought, as the company revealed that the accounts of nearly 25 million more users may have also been compromised, bringing the total of affected users to more than 100 million.
Online data breaches are not a new phenomenon. Since the Internet's inception, there have been people dedicated to using at it tool for their own personal gain, breaking in and stealing the financial and personal information of businesses' employees, partners and customers.
Many of these breaches can be attributed to insiders, who sometimes allow crooks to gain access to sensitive files by not properly destroying documents or carelessly leaving computers and thumb drives out in the open. Other breaches are the work of sophisticated computer hackers, as appears to be the case in this incident. The consequences of such an intrusion can be devastating to an organization, both financially and reputation wise.
Todd Feinman, CEO of Identity Finder, which makes software that analyzes computers for personal data, said that one of the biggest issues that the PlayStation Network breach brings to light is data segregation. According to Feinman, information such as names, credit card information and e-mail addresses should be segregated such that if there is an intrusion, a hacker cannot go to just one place to retrieve this data. And while the law requires credit card data to be encrypted, Feinman advises companies to also encrypt personal information to minimize their risks.
"Overall, you want to make sure that you have a multi-faceted approach," Feinman said.
Though Sony has not confirmed that credit card data was stolen, the fact that a myriad of other personal information was compromised that could open users up to incidents of identity fraud is alarming to Feinman.
"I'm very disappointed that (Sony) has not acknowledged anything related to the damage caused by them related to the personal information that has been confirmed to be stolen," he said. "They're saying that credit card data might have been stolen, but they are not confirming it, so they're not apologizing for it. But they are confirming that passwords and logins, e-mail addresses, dates of birth, personal addresses, and full names have all been stolen. That kind of information can absolutely be used to commit identity fraud."
In a letter to the House Subcommittee on Commerce, Manufacturing and Trade, Kazuo Hirai, Chairman of the Board of Directors for Sony Computer Entertainment America, told lawmakers that the company is operating on several key principles in responding to the cyber attack which include; acting with care and caution; providing relevant information to the public when it has been verified; taking responsibility for their obligation to customers; and working with authorities to track down those responsible for the breach.
"I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers. I hope you can appreciate the extraordinary nature of the events the company was facing - brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable. I believe that after you review all the facts you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers," wrote Hirai. Click here to read the full letter (PDF file).
It remains to be seen what impact the breach will have on Sony, but Feinman believes it will not be enough to significantly harm the company.
"Here's the unfortunate thing. That kid that likes playing whatever the new video game is, he's probably not going to stop playing PlayStation," Feinman said. "How is this going to affect Sony's reputation and their credibility going forward? Probably not nearly as much as it should."