Sony may not have confirmed until April 26-a full week after discovering a major intrusion into its PlayStation Network-that consumer information had actually been stolen.
Angry Sony consumers criticized the company for not informing them that their personal data had been stolen immediately after discovering the data breach on April 19. Sony shut down the PlayStation Network and Qriocity music services to investigate the breach and to prevent any future attacks, but did not provide any details about the cause or effects of the PlayStation Network outage or the data breach until April 26.
It's already prompted at least one customer to bring a lawsuit against Sony. The first class-action lawsuit on behalf of angry PlayStation Network members was filed by Kristopher Jones of Alabama on April 27 in the United States District Court for the North District of California. The lawsuit accuses Sony of breach of warranty, negligent data security and violations of consumers' rights of privacy.
Patrick Seybold, the director of corporate communications and social media for Sony, clarified the timeline in a blog post on April 27. After shutting down the services, Sony brought in outside experts to help investigate how the intrusion occurred and to determine the nature and scope of the breach, according to Seybold. It took "several days of analysis" to understand what had happened, Seybold said.
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," said Seybold.
Sony discovered "between April 17 and April 19" that an unauthorized individual had gained "illegal" access to personal information stored on the PlayStation Network and the Qriocity online music service. The accessed information included names, addresses, log-in and password credentials, password security answers, email addresses, and birth dates. The company wasn't sure whether user purchase history and credit card information were compromised but warned users "out of an abundance of caution," Seybold said.
"If your success is dependent on the loyalty and trust of your customers, you had better be protecting that asset. Investing in next generation security is a 'must have' if you value your data and your customers," Harry Sverdlove, CTO of Bit9, wrote on the company blog.
It was possible that the attacker got into Sony's systems via a phishing email crafted using information readily available on social networks, according John Pescatore, a computer security analyst with Gartner. "They do their research on LinkedIn, Facebook and other social networks to gather personal information on a targeted group of people who are most likely to have administrative-level passwords to these systems," Pescatore said. The phishing email may have directed victims to a malicious site that downloaded keyloggers to steal log-in credentials, according to Pescatore.
"Once they log in, using a legitimate account, they have the keys to the kingdom, and the data goes flying out the door," Pescatore said. Sony has not provided any details as to how the breach happened.
While the specter of identity theft looms over the data breach, there is also the chance of attackers using the information to launch targeted spear phishing attacks to trick users out of even more sensitive data. The information taken from PSN "contains enough information to convince you the email has been sent from someone you know and trust," Paul Henry, a security and forensic analyst at Lumension, told eWEEK. Consumers should "exercise caution when receiving any email right now," he said. Don't click on any links or open any attachments unless its delivery was expected, according to Henry.
The "vagueness" of the data breach provided the attackers with the opportunity to exploit that data, Mandeep Khera, CMO at Cenzic, told eWEEK. While it's understandable that Sony had to get forensics done to find out how it happened, consumers have lost trust in the company, according to Khera. "Consumers trust big businesses like Sony to keep their data safe because of their well-known name in the electronics industry. Once that trust is gone, they may begin to look elsewhere," Khera said.