May 28, 2011 - On April 26, 2011, Sony PlayStation reported a compromise of personal information as a result of an illegal intrusion on [their] systems.In other words, hackers had broken into PlayStation's online network. Reports from PlayStation are that external intruders had obtained account names, passwords, addresses, phone numbers, birth dates and security question/answers for approximately 77 million network users.
As a result, Sony PlayStation's brand reputation management team is probably working overtime. They are dealing with a massive privacy breach, considering how and what they report to their customers, trying to maintain their business and the confidence of their customers, as well as manage their legal liability. Businesses large and small should take note. If it can happen to an organization as technically savvy as Sony PlayStation, it can happen to you.
PlayStation has reported that their credit card table was encrypted and there was no evidence that credit card data was taken. PlayStation admitted, however, that the personal data table was not encrypted. Malicious attackers managed to breach their very sophisticated security system.
Within moments the blogosphere was ablaze with accusations that PlayStation did not really protect users' personal information at all. One online commentatorhas said it was like PlayStation was a bank where robbers penetrated the building, found credit cards in a vault and left the personal information out on the counter for the taking.
PlayStation says its network will be down for about a week, until it has reconstituted all of the personal information and ensured the network is secure. Will PlayStation's network users return?
Not surprisingly, users have been vocal about their displeasure in social media. PlayStation's reputation is taking a serious beating. It did not take long for a WTF!? YouTube video to get over one million views. In the first 45 seconds of the eight minute video, the commentator accuses Sony: maintenance, its just a cover up Sony's reputation has taken a further beating after news came out that another 25 million accounts may have been hacked and thousands of direct debit records had been accessed illegally. Many users are disappointed that Sony took so long to advise customers about the breach.
Legal liability is a real issue in this case. Apparently, PlayStation was aware of the intrusion for almost a week before advising its users of the loss of personal information. The extent of the loss may not yet be clear. To be cautious, users are being advised that their credit card information may have been obtained and that they should change their passwords. An online participant who made supportive comments of Sony's response to the intrusion already assumed litigation will ensue. He ended his post on the PlayStation blog with: "Thank you for this update, and good luck with the impending class action lawsuits." Apparently the lawsuits are already being filed.
In addition to the business and reputational risks, in Canada, privacy breaches like this can expose organizations to legal liability. Private organizations have a legal obligation to take reasonable steps to safeguard personal information from loss or theft, as well as unauthorized access or disclosure. If an individual is successful in a complaint to the appropriate Privacy Commissioner, they have a further right to seek damages in Court for harm suffered from a privacy breach. What are the chances that a Privacy Commissioner would agree with many of the PlayStation network users who have voiced their view that PlayStation's failure to encrypt their personal information was shameful? It looks like we may find out as the federal Privacy Commissioner has already begun making inquires.
The PlayStation panic is another reminder that businesses ought to be vigilant about their network security and the protection of personal information. Emerging technology enables organizations to take advantage of its benefits. It also means there are new risks for unauthorized use and disclosure. Privacy protection should be a primary consideration in the implementation of any new system. Businesses should audit their information systems and security. Although cost and other business considerations can sometimes seem to weigh against privacy, in the long run, good privacy is good business.
This time around, PlayStation is ensuring the public that its network will not go back online until it is secure. Hopefully, it is not too late for Sony and its customers.