Thursday, 28 April 2011

Sony sued, could bleed billions after breach

Sony

UPDATED: 10 p.m. PST

Gamers and government officials are irate over Sony's admission that a massive security breach gave hackers access to large amounts of personal data from the company's PlayStation Network and, surprise(!), one gamer has already filed a lawsuit.

Meanwhile, analysts estimate the hammered game company could lose billions of dollars from the debacle.

On Tuesday afternoon, Sony of America's director of communications said that "an illegal intrusion" in their system has caused a "compromise of personal information." And while Sony officials don't believe credit card information was taken, they say that hackers may have taken names, addresses, email addresses, birthdates and passwords among other things.

On Wednesday Kristopher Johns of Alabama filed a suit in U.S. District Court accusing Sony of "negligence in data security" and of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users" as well as for taking too long to notify him and other customers that their data had been pilfered.

Johns and his attorneys are seeking class action status for the case as well as monetary compensation and free credit card monitoring for everyone affected.

"Sony's breach of its customers' trust is staggering," J.R. Parker, co-counsel in the case, told IGN. "Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't."

There are some 77 million user accounts with the PlayStation Network and Qriocity service, which allows gamers to play games online together as well as purchase and play movies and music.

As we previously reported, the PlayStation Network abruptly went offline last Wednesday, April 20. On Tuesday gamers grew increasingly irate as news of the data theft spread, wondering why it had taken Sony six days to reveal that personal information had been taken. Sony responded Tuesday evening by issuing a follow-up statement insisting that they did not know that personal data had been taken until Monday.

Answering customer questions
On Wednesday evening, Patrick Seybold, Director of Corporate Communications for Sony of America, attempted to calm customer fears by posting a series of answers to frequently asked questions.

"We are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation," he wrote. "This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible."

He explained that, though Sony can’t rule out the possibility that credit card data was taken, it is unlikely because that data had been encrypted. He added that there was no risk that the three-digit credit card security codes from customer cards were taken because Sony never collected that information.

The personal data that was illegally accessed, on the other hand, "was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack" Seybold explained.

He added that Sony is currently working on a new system software update that will require all users to change their password once PlayStation Network is restored. And he said Sony is in the midst of initiating several measures "that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location."

International outrage
Still, government officials from several countries are bringing the hammer down on Sony.

via Reddit

While many people are angry about the PlayStation Network data breach, some folks are having a bit of fun at Sony's expense. Here's a new look at Sony's "It Only Does Everything" motto for the PlayStation 3.

In the UK, the Information Commissioner Office — a government agency that seeks to uphold information rights and data privacy — says it's looking into whether or not Sony has done enough to protect sensitive user information, and if it alerted the public to the breach in a timely manner.

"The Information Commissioner's Office takes data protection breaches extremely seriously," the organization told Eurogamer Wednesday. "Any business or organization that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure. We are contacting Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office."

Meanwhile, according to several Australian newspapers, the Australian Privacy Commissioner, Timothy Pilgrim, has said he will be opening an investigation into the breach. And in the U.S., outraged Sen. Richard Blumenthal (D-Conn.) sent a letter to Sony of America CEO Jack Tretton demanding answers about the company’s failure to notify millions of customers about the data breach in a timely manner.

But in Japan where Sony is based, one of the highest ranking government officials — Chief Cabinet Secretary Yuko Edano — issued a more diplomatic statement directed at Sony.

"Private businesses must safeguard the personal information they have with the maximum care possible," he said, according to game site Kotaku.

Financial fallout
Meanwhile, estimates are rolling in about how much this debacle is going to cost Sony.

As VentureBeat reports, estimates are ranging anywhere from $20 million in lost revenues for a couple of weeks of down time to $24 billion for the total costs of dealing with the loss of personal customer data.

Michael Pachter, a video game analyst for Wedbush Morgan, told VentureBeat he estimates that Sony makes about $500 million in annual revenue from PSN which comes out to about $10 million per week. Sony has estimated it will take another week to get the network up and running on top of the week it's been down — hence the low-end $20 million guess.

On the other end of the spectrum, Forbes has cited a study from security think tank Ponemon Institute that estimates it costs $318 per compromised record for a data breach. With 77 million PlayStation Network user accounts that adds up to the $24 billion estimate.

On a Frequently Asked Questions page created by Sony, the company has admitted that some gamers are already asking for compensation. Its response: "While we are still assessing the impact of this incident, we recognize that this may have had financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored."

Meanwhile, as Kotaku reports, Hulu is offering compensation to some of its Hulu Plus subscribers who rely on the PlayStation Network to access their TV and Movie content. Reads a letter sent to some subscribers:

Unfortunately, due to the outage on PlayStation Network, Hulu Plus subscribers cannot currently access the application on the PS3. We understand this is frustrating, and we are looking forward to Sony restoring access to the application as soon as possible. In the meantime, we'd like to offer you a 1-week credit toward your Hulu Plus subscription.

Despite the enormity of this mess, some folks can't help but have a little fun at the expense of Sony.

As you can see, the National Nerd Relief Fund is hoping to raise money to help get the PlayStation Network back up and running as soon as possible ... for the sake of Sony fanboys everywhere.

For related news, please see:

Winda Benedetti writes about games for msnbc.com. You can follow her tweets about games and other things right here on Twitter.