Ronnie05's Blog

How safe is user data online? (The Sony episode)

Posted in Industry updates by Manas Ganguly on May 3, 2011

Julian Assange in an interview some time back alleged Facebook to be the “most appalling spying machine” which exposes private information of over 600 million subscribers to law makers and other national security agencies in a breach of fair rules of user privacy. Inside days of Assange’s interview, we heard from Sony Corp, a leading Durable and Gaming brand about 2 counts of security breaches of its online networks. The first attack on Sony’s play-station video game network and Qriosity online music and film service which happened between 17th-19th April exposed names, addresses, passwords and possibly credit card numbers of its 77 million customers. The second attack (which preceded the first one but was discovered later possibly 16th-17th April) had drilled a hole through Sony Online entertainment network and had compromised credit card data relating to 24.6 million of its consumers and debit card data of around 10,700 more customers in Austria, Germany, the Netherlands and Spain. Sony in a statement has said that the main credit card database had not been compromised as it is housed in a safe and secure environment.

What saves the day for Sony corp is that second level security data – The three- and four- digit codes are used as a second source of authentication for many online vendors. The network passwords were also protected by a level of security called hash algorithm in which the word users type in is converted on Sony’s servers to a string of characters entirely unrelated to the original password. With passage of time, the value of this stolen information diminishes greatly as banks and users increase security precautions around such credit card data or altogether cancel it. However, hackers may be trying to hijack e-mail accounts by attempting to access ones provided to Sony, and plugging in PSN passwords to see if they were re-used for both, and spear fishing for data through fraudulent emails that contain enough personal information to persuade the victim to let down their defenses, which can be enough to get them to click on a link that downloads malicious software onto their personal computer.

The financial impact of this security incident for Sony depends on how well the company convinces customers it “will make things right”. The outflow for Sony in terms of credit card fraud, network repair and marketing costs is $50 million. The cost of legal suites would add to that figure in some measure. The impact for Credit card majors could be around $500 million. How about user faith and confidence on Sony? The loss of that (in Mastercards’ tag line) is priceless.

%d bloggers like this: