SONY has admitted that it failed to encrypt the personal information of 77 million PlayStation Network users stolen by hackers a week ago.
The hacking has affected around 715,000 Australian consumers, in what has been described as the largest known security and privacy breach in Australia thus far.
It affects not only PlayStation users with network accounts but users of Qriocity, a Sony service that offers streamed movies and music.
In a post on its PlayStation blog, Sony said it had encrypted credit card details but didn't extend the safeguard of encryption to its "personal data table".
"The entire credit card table was encrypted and we have no evidence that credit card data was taken," Sony said in its PlayStation blog.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
Sony has not revealed what is contained in personal data tables but acknowledged that customer names, home address, billing addresses, email accounts, passwords, birth dates and other personal details were stolen by hackers in the security breach.
It has yet to clarify whether customer user IDs and passwords were housed in separate databases.
Sony said access to its data had been restricted both physically and through the perimeter and security of the network.
The company had begun emailing affected customers to notify them of the breach but has warned people to be wary of fake Sony emails requesting credit card numbers or other personally identifiable information.
Some users claim to be victims of illegal credit card transactions but Australia's major banks said there has been no evidence that the PlayStation data breach has been linked to credit card or identity theft.
The banks said there hasn't been any significant increase in the number of customers seeking to have their credit cards cancelled or reissued.
An ANZ Bank spokesman said there had been only a small spike in calls to its credit card call centre yesterday -- an extra 300 calls in addition to about 30,000 calls it received daily.
However Australian Privacy Commissioner Timothy Pilgrim said the commission was already getting inquires from Sony customers.
"People are beginning to be concerned and ringing our line to get information," Mr Pilgrim said.
Mr Pilgrim yesterday said he had begun an investigation into the data breach and would ask Sony to explain how this incident occurred, what security measures were in place to prevent it, and the extent of the breach.
In developments overseas, an Alabama man is reported to be the first person to lodge a lawsuit directly related to the PlayStation Network breach. He is claiming compensation and free credit card monitoring, and is seeking class action status.
Sony yesterday said it knew of the hacking a week ago, but it had been unaware of its severity and the theft of user account details until Monday.
"It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon," Sony said on its blog.
Local computer emergency response group AusCERT said users needed to change all passwords on accounts that used the same password as their PlayStation account.
Senior information security analyst Zane Jarvis said it was common for users to use the same account name and password for all types of accounts and their email address and PlayStation password had been linked by the theft.
PlayStation users particularly should be on the lookout for an increase in phishing emails, including possible fake emails from Sony. Cybercriminals would "go to a lot of effort to make them look real".
Mr Jarvis said that through phishing, criminal gangs would seek sufficient personal information to open bank accounts in the names of victims to get credit, a driver's licence or even a home loan. Or they might simply take over email addresses to distribute spam.
Australian security expert Bill Caelli said the PlayStation Network hacking would cause great anxiety among users as there was no closure and no way of knowing where or when a threat to personal security would occur.
"The fact you don't know breeds uncertainty, you just don't know where and when."
Professor Caelli, from Queensland University of Technology's Information Security Institute, echoed Mr Pilgrim's call for Australian legislation requiring mandatory disclosure of privacy breaches.
He said the world should thank the "governator", former Californian Governor Arnold Schwarzenegger, for California having legislation that requires companies such as Sony to come clean about hacking and data breach events.
"But in Australia we're still arguing about it. This (case) gives new impetus for Australia having mandatory disclosure with criminal consequences for failure to comply."
Professor Caelli described the breach as the largest security and privacy breach so far in Australia.
Sony's PlayStation Network remains offline however the company expects to restore some services within a week.
"Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday," the blog said.
"However, we want to be very clear that we will only restore operations when we are confident that the network is secure."
There are over 1.1 million PlayStation 3 devices in Australia -- approximately 65 per cent are connected to the PlayStation Network, which gamers use to spar online and purchase services like movie downloads.
Additional reporting: Debbie Guest
No hay comentarios:
Publicar un comentario