Slashdot Mirror
Sony Sued For PlayStation Network Data Breach
suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"
That'll teach them.
the great battle of our time...
I'm not sure I buy that first part, given that no online service is ever going to be 100% secure. I understand that one should take prudent steps toward making a "best effort" in that regard, but at the end of the day, if some well-funded crime kingpin wants in, there probably isn't much you'd be able to do about it. It's the second one that has my blood boiling in sympathy, partly because this is practically Sony's trademark: if something goes wrong with their products, don't go public with it, don't acknowledge it, don't even think about it, and maybe it will go away!
So, they sat on it for a week...
And in the process, they are claiming that they do not have any reason to believe that Credit Card Information was actually accessed.
It seems as though the core concept of this case hinges on whether or not Credit Card numbers were actually accessed, which is something that Sony will definitely be going out of their way to hide, as it is grounds to show that all claims are ultimately invalid within this case.
In any case, there would need to be disclosed proof stating that not only Credit Card numbers *were* accessed, but that Sony *intentionally* went out of their way to hide this fact from their customers.
Seems flimsy at best.
So, this will probably turn into a class action lawsuit in the coming weeks. Lawyers will get incredibly rich, and those affected with get a free PS3 wallpaper or something.
Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"
Normally to sue a corporation over claimed negligence; you actually have to show that you were harmed.
Meaning, the plaintiff will probably have to show his inability to take mitigating actions due to Sony's negligence actually resulted in a loss or damages.
I suspect that will be difficult to pull off, unless his CC account was hacked / fraud was committed against him already as a result of the intrusion into Sony's network.
As for damages related to 'closing the account'.... if he were taking mitigating action, he would have to incur that loss regardless of whether Sony informed him earlier or not.
Now his bank and the payment card industry should be the ones taking the strongest stance against Sony; since it's the banks that most immediately bear the cost of fraud (due to policy of $0 liability for unauthorized account use; once the account owner identifies the transactions as fraudulent).
I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.
Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.
If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.
"So after all this, you make my case for me. To end this stalemate, you must die..."
signed
It takes time to find out what has been compromised. The hacker won't just come out and say "All your base are belong to us" Sony told us when they found out. If they did say that there is a possibility on day one that it may be compromised then there would be a lot of hectic and closing bank accounts on an hunch. If nothing had been compromised and they told us it may be (on day one) then people would be mad and still sued Sony for misleading them. Crap happens, suing doesn't make it better. Plus nobody said you had to create an account, nor did you pay for it.
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4
sysadmins and parents of newborns get the same amount of sleep.
How can he sue for damages if he has no damages to sue for?
So why would this data be valuable to hackers? Two reasons I can think of.
1. It's a password gold mine. Since most customers reuse passwords knowing one set of irrelevant passwords can give clues or even directly produce another set of more valuable passwords.
2. If it's information such as full name and address, and other personal information, this information can be sold on the underground black market or in the regular market. Hackers can use the personal information to commit crimes against these people, to intimidate, or to socially engineer. And if any Sony employees also had accounts it's possible they could have been compromised as well.
So the way to protect against this is simple. Never reuse passwords. Encrypt the names and addresses so that it's only accessible from inside the building. This wont prevent hacking, but it will make it hard enough so that only an insider can hack. Something as simple as
a smart card ID for all employees accessing the personal information would be enough to create an audit trail, make it harder to access remotely, and to provide the decryption key in an easy to use intuitive format. You scan your ID into the computer when you get to work and it can decrypt. You remove the ID and it's encrypted. Someone hacks into it, unless they have an idea card it should be encrypted.
It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them ... I had the longest password she had ever seen.
you are in a twisty maze of different passages.
Actually I just got a notifaction from Sony abou this today.
And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
The CC's are already in the wild.
I know Visa is aware of the issue. They have reissued me a new card based on this information.
So yea it could go somewere
So he's after recovery of damages, but so far it doesn't indicate that he's experienced fraud, and it's not going to come out of his pocket anyways (the credit card company would handle any fraudulent charges).
He also wants credit card monitoring services, but it's not exactly clear that Sony would not have offered such services. It sounds like they're still investigating the extent of the breach. By making it part of the lawsuit, just how long will it take to get the services? After the lawsuit has been settled several months from now? I'd bet that he'd get the services a lot sooner through public pressure than as a remedy of a lawsuit.
Which leaves the third part of what he seeks - recovery of lawyer fees. Now it's pretty clear why this lawsuit exists at this stage - the opportunity for the lawyers to get rich in the name of consumer protection.
They really messed up this time! life is a bitch aint it?
Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice. They based this decision on a 90 year old law that was written to cover maritime shipping disputes.
Of course, since most contracts these days state that the corporation has the right to change the terms at any time without notice, this basically means that you can no longer sue a company that you've entered into a contract with.
Still think you have rights? Not as long as a Republican holds office!
In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).
Hmm, something not right here.
PSN is free, so it's hard to imagine how anyone is entitled to any compensation there unless it's through a goodwill gesture by Sony (which they definitely should do).
No proof yet any credit cards have actually been compromised. And before you all get puffy and worked up, literally, NO PROOF of any CC problems that can be linked to the PSN breach have been proven (yet).
There's no way the banks would allow Sony to have access to CC accounts without being regularly audited, never heard of any problems there. So I would think it's safe to assume they've been following safe business practices or else we would have heard something by now.
According to latest reports, Sony reported the possibility of account & CC details being compromised a little over a day after they found out. Difficult to claim that's an egregious length of time given the circumstances.
With all that plus the fact that it's common knowledge that Sony has been repeatedly targeted by hackers and thieves out of revenge for Sony having the audacity to protect their network and customers, this lawsuit is going to have a very difficult time making any headway.
So what is exactly this lawsuit about? Since this originates in the US (the most litigious country in the world) I say it's just more ambulance chasing i.e. business as usual.
Sigh. What is with all these "hard time showing it" posts. He won't have a hard time if he gets a remotely qualified lawyer if they're at all at fault, although it may be incredibly costly.
IANAL, but maybe one can comment.
By filing the lawsuit, Sony has effectively been put on notice that they have a duty to preserve any and all evidence reasonably remotely related to this incident. They can still perform PR, issue press releases, study the breach...whatever. But any and all notes, emails, IMs, data records, metadatas, and files that are reasonably likely to have anything related to this incident must NOW BE RETAINED and are no longer subject to normal corporate data retention policy. That means they can't just ship the computers off to some third party forensics specialist who can conveniently lose them if they decide they can't get enough information to press charges against whoever did it. It means that if they have a policy of deleting any unused emails in 90 days, they probably get slapped hard. I believe some states even treat this as presumptive guilt these days.
Beyond any sort of wall-street /corporate data retention records, even their day to day correspondences are presumably subject to discovery...
Should they delete an email, a voicemail, shred a fax...whatever--they are likely to be sanctioned in the event it wasn't a reasonable accident. Given the nature of how corporations and the legal system work, the only reasonable thing to do if you suspect Sony was at fault IS TO FILE IMMEDIATELY. Because in a month, some of the relevant data may already be long gone.
And given we know they sat on it for a week, it seems reasonable to me to assume they have gravely screwed up--if only in due diligence and their ability to figure out what went wrong in event of a problem. And now Sony has to preserve all that related ESI and can't just shred it to protect their share price.
There's a reason they say justice favors the vigilant--given the workings of the system--the sooner you file, the more likely they are to have information you can access.
I got an email last month telling me that I needed to agree to new terms of service for the PSN, as they were transferring ownership from SCEA to a new Sony subsidiary, Sony Network Entertainment of America (SNEA). According to the terms, if I didn't agree, my PSN account would be closed and I would actually get a refund of outstanding funds in my wallet (i.e. it's serious enough for Sony to actually part with money). I haven't bothered with looking at the new terms (either way, PSN is useless when I'm still running firmware 3.15), but I have to ask: who exactly got attack here? Is there a meaningful difference? Would my info be on the compromised systems when I've not consented to SNEA's terms?
I agree with the one time tokens. That would be a good start.
I think we have to consider that even if we did secure financial information, and we definitely should, what about the address and other information? The company has to have that unless we can find a way to secure it offsite and add it to the one time token concept. This way the entire token expires immediately after payment, including the real name and address which could be within the token.
Well, I recieved 'official' notification about this approximately 2 hours ago - 8.55am, April 28 (Aus EST). The email is vague hand waving at best, and they suggest once that the service is restored, the you change passwords and check your credit card statement. Of course, they couldn't have my CC details, because Sony wouldn't have stored such information in plain text, now would they...?
Usually I am against the rampant lawsuits over hot coffee and anything else the shills can think of, but this is one I am in favor of.
Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye, and deservedly so.
Now if we could just get the pharmaceutical companies.......
Linux computers, watercooled, photography
This is one week after the shutdown:
"Add PlayStation_Network@playstation-email.com to your address book
"line" (to account for the junk filter)
PlayStation(R)Network
"line" (to account for the junk filter)
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.
While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.
Please contact us at 1-800-345-7669 should you have any additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
"The avalanche has already started. It's too late for the pebbles to vote." - Kosh
And not protecting customer information is the single worst thing they could do to harm their image.
I'm not even a Sony customer, and I don't own a PS3, but now that I see how lax their security is with such critical personal information, I will not be buying Sony products in the future. Sony is going to lose customers due to their obsession about profits and making money even at the expense of consumer information security.
http://www.latimes.com/business/sc-dc-0428-court-class-action-web-20110427,0,1239412.story
They could have warned you but they didn't. They knew it would cause panic and this panic could cause them to lose some customers.
Now we know 77 million customers are owned by hackers. We can thank Sony for waiting so long to tell us, and we can thank Sony also for caring more about DRM and security of their intellectual property than the security of personal critical consumer information.
What? Is your private information not as important or as valuable as theirs? I wonder how many celebrities and powerful families got their personal information compromised over this...
I still don't see any email from Sony to me. I know some people have gotten them, but it seems they're taking their sweet time on something that should have been sent A WEEK AGO.
If this goes class action, unfortunately this is going to end up with everyone getting $5 voucher towards a purchase on PSN or some other nonsense.
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4
Is this some sort of code?
No, I'm ethically OK with pursuing the only legal recourse available in the near-total absence of modern statutory consumer protections (e.g. Europe).
But if you'd rather the vigilante route, we can always sic Anonymous on them again.
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4
I intend to be elsewhere when the 70 million PSN account holders get a real live geek within their sights.
It is not going to be pretty.
Not to mention the money and firepower backing up those who sell products and services through PSN -
and the banks who finance and service the transactions. They too will be out for blood.
Sue the crap out of them and be rich, otherwise you'll just probably end up with free X days the service was down, and your lawyer will be rich instead.
For one, you don't make getting in as simple as cracking one password from one computer which just happens to be connected to the internet and sending and receiving emails, running and downloading files, etc.
Malware is easy to protect a network from. Just don't let the network run anything it's not supposed to be running. Check files on the computer for changes once a day, basic stuff.
On top of all this, use encryption, and don't rely on passwords. Rely on something more secure than something which can be cracked by a dictionary or standard password cracker. Make the hackers crack the hardware and actually have to write code to hack the network.
It's always going to be possible with social engineering and unknown exploits or bugs in code, but you can audit code, you can use hardware to secure things that software can't, and you don't have to trust your employees.
Yeah, so, they'll get a fine to offer affected customers a free downloadable game right? So what, they're just Custopeons.
But if you copy their game first, you're going DOWN terrorist!!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye
It isn't Sony getting its reputation blackened. It is Anonymous, the geek, the cheat, the thief and the hacker, which the public sees as all of one kind.
Side channel attacks can work even when everything is right meaning implementation of a cipher is often a lot harder than the actual security mathematically. It's actually fairly easy to code or even design (theory) a cipher which cannot be cracked on paper, but then when you try to implement it that is a different story. If the cipher is symmetric then its very easy to make it uncrackable and it wouldn't require a difficult design, but then the user has to memorize an extremely long password. This wouldn't work unless the user has a smart card with a smart card reader, or is some sort of rainman genius who can remember all the digits of pi.
Security has to be strong and simple. Simple enough that a child can use, strong enough that a PHD student would have to crack it. Passwords no longer are simple enough, and they never were strong enough when the websites limit password length to 12 characters. So truthfully we need to move away from passwords and move toward symmetric encryption. A smart card and a reader with hardware encryption, hardware generated entropy, hardware is harder to hack than software. And on the other end the company or bank has hardware, and a smart card reader. It's just not going to be cracked period, you can use symmetric AES256 and guarantee it.
But someone can steal the smart card and open it.
This one is looking like a global crime network with money laundering facilities and boots on the ground. This one is going to sting, based on some reports of illicit card accesses that have happened in the past week.
Help stamp out iliturcy.
I'm furious for the same reason. There is no reasonable excuse for being that ignorant when they have billions of dollars. They could have hired you, they could have hired me, and either of us could have secured their network better than that.
Do they even have an audit trail? What is the name of the man who was the Administrator? Or did they just root the Administrator computer and find a text file with everything on it?
Yeah, so, they'll get a fine to offer affected customers a free downloadable game right? So what, they're just Custopeons.
But if you copy their game first, you're going DOWN terrorist!!
And it's this profit over customers attitude that has turned customers against Sony. I'm sure many of these hackers like games and probably were fans of Sony before the boycott and protesting.
Now we see Sony doesn't care about customers at all beyond using them as a type of cattle to profit from.
It should not be possible to get card data out of your transaction processing server. That should be obvious. It should be able to receive card data and a linked account, and accept and confirm transactions from the linked account, but it should be completely unable to transmit card data. Obviously, card data should not be stored outside the transaction processing server in any form, format or fashion.
The supreme court will just say we can't sue the anyway.
I HOPE HE WINS!
It's been going for how long without an intrusion? And the first sign of trouble they shoot themselves in the foot economically by pulling the plug on the service while they completely rebuild it, and go over every single log inch by inch to find out what the hacker did?
Oh, and there's a SLIGHTEST chance that some credit card information MIGHT have been comprised, (and then not even enough to make purchases with), they warn people to be wary of charges?
So again, what evidence is there that Sony failed to protect the data?
Sure, they've been a aggrivatingly close-lipped about it, but they informed the public about what information might have been compromised.
If they'd bring the network back up so I can figure out which password I used and change the relevant ones in my other online affairs?
Sadly, I know this is never going to happen with existing passwords in the wild.
If I remember correctly, the post from yesterday mentioned that included among the data that was compromised were CVV2 codes (that 3-digit code on the back of your CC).
Here's an interesting point about storing CVV2 codes...
http://en.wikipedia.org/wiki/Card_security_code
For that alone, Sony should have all of its merchant accounts revoked immediately.
My money's on the week-long delay between break-in and public statement about what information was grabbed was because Sony wanted to give its legal department a week to wind up before lawsuits started coming in. I bet that within 12 hours of Sony discovering the break-in, they knew exactly what was going and fired up their legal department, calling in every single lawyer they have access to, and said lawyers have been working around the clock to brace for the impending legal storm.
When they were saying crap like "We're assessing the situation," it was entirely true...they just didn't specify that it was from a legal standpoint, rather than a technical one.
Their may be a grammatical error, misspeling, or evn a typo in this post.
Because clearly, it's Sony's fault-- and not the hackers' fault-- that the hackers broke into Sony's network. Sony's questionably ethical business practices do not warrant them the blame. He's suing the wrong people, all Sony is going to do is throw their EULA in his face.
Everybody want to have a good figure. So why don't use our turbofire program. The turbo fire is program which will help you cast off your fat in a easier way. Just give yourself a chance to have a charm figure to buy our turbo fire workout .
Are you still worry about your fat, power 90 will help you to solve the problem. And the the p90x on sale now. Except the power 90, you also can do exercise according to our turbo fire program. With our turbo fire workout , you will lose weight at a relaxing environment.
fuck Sony out of some money you really do not deserve
you're right, i don't deserve a house, car, loan, money (even if i earned it myself) or anything that could happen because of the lapse in security that gives criminals enough information to ruin my credit rating and bankrupt me.
:)
but your right,I'm just trying to make a quick buck
I got this e-mail from Sony this morning. A little late, perhaps? <sarcasm>
Though here's a question: How many other companies have the backbone to own up quite so readily, instead of trying to cover it up to save face?
Don't get me wrong, I'm not trying to defend Sony (after all, it seems thay they're finally getting help to make their system more secure, implying that their efforts were not solid enough to start with). But what I am saying is that I generally don't trust businesses to keep secure personal and credit card information, which is why I didn't give Sony my credit card details (but sadly had to give my personal information.)
These companies are all interlinked and they deserve a good suing. 77 million users cannot be wrong.... take that on the chin you cnuts!
All cows eat grass!
Sorry, but it's time for Sony to die a quick death.
Rootkits, DRM, removal of "Other OS", lawsuits, and other stupid antics is what made Sony a big target.
If only Sony realized that they work for the consumer, and not the other way around.
Bye. Playstation was great, but your money men were not.
It's too soon to file a lawsuit if you really want to win, at this moment there is no real information on what really happened, and according to Sony they really only knew about the possible theft a day before they announced it due to the analysis being performed. Also it's not clear if security was adequate according to current standards (remember, NOTHING is unhackable).. He should at least have waited a few weeks before filing a lawsuit..
People are so over reacting, if my credit card has been stolen then well Sony you fucked up. If hackers didn't break the encrypted servers, well looks like someone got my personal info without being my friend on facebook. I'm only slightly upset over this whole deal at this point and that's mostly because I have to wait a while longer to play Arcana Hearts 3
This would not happen to amazon, paypal or any other instance with 77 million users - with sensitive personal data. I'm still hoping that it wasn't criminally motivated intrusion. There is still a tiny chance, that the one who did it was just proving a point. Tried to play something last night, but it didn't feel the same any more. Might say that now i know how abused spouses feel.
is it just me or does a certen hacker would have a reasion to desotry sonys network and get sony sued and this certen persion would have the talent to pull it off heh, but relly sony did need this realty check they have been riding a hi horse and even thretning custmers with moddded systems its nice to see the knife pointed at them. and the sad fact is the guy who is sueing is totaly correct sont was way overzaules that there ps3 and network could not ever be hacked and didnt bother to encrypt shit past the first stage of securty why we have the keys for both psp and ps3 and someone got dev acess to the entire network. who knoes what relly happond thow maybe it was a case of a disgruntled dev.
Wait a Minute... Didn't they take away the Install Another OS feature due to "security concerns."
And now the PSN has been hacked, my information taken and I'm now at risk of fraudulent credit card charges....
I'm sorry but where's my check????
Some how I suspect that Anonymous are behind all that's happening now to Sony. It all may be a very clever plan to make Sony pay for some of their sins.
You've made an enemy out of a lot of the community.
I have 2 PS3's and 25 games on my shelf.
LEGITIMATE games.
Do you know why I purchased a PS3? The real reason I orginally purchased it? There was 2 reasons.
1 was God of War 3, which took 2 years after I got the thing and was surprisingly not as good as #2
2 XBMC was rumoured to be coming to PS3, via the loophole to the hypervisor through linux. More beautiful XBMC goodness.
You closed that loophole and I STILL forgave you because I loved the games, I forgave you guys for a lot of shit, a LOT - I even put up with taking linux away - but this Geohot thing was the final straw.
Even if my details are compromised as one of the customers, who cares. GOOD - fuck you assholes for treating the customers with utter contempt.
Looks like Hitler will join the suit
"We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
it should be Visa and Mastercard. I doubt Discover would; they're just happy to be finally noticed by scammers.
This really doesn't surprise me at all. Sony has historically had a horrible customer service model in pretty much all of its products and services. I remember the days of dealing with Sony Online Entertainment, and realizing this was the wrong way to do business with people. The company has always been top down directed, in that they respond only when faced with a scandal or its customers start leaving in mass, which was done in the early days of Everquest due to some horrid PR decisions they were making. Fast forward to so many of their stupid responses and actions in other areas, like trying to maintain control over the music market, and now this debacle of PR with the playstation, and it really shouldn't surprise anyone else either. Sony historically thinks of Sony first, and the customers are only there to pay the salaries of those who feel they are unreproachable. Duane Gundrum http://www.duanegundrum.com/
Sarbonn's blog: http://www.sarbonn.com/blog
I am sure that if anyone tries to use these credit card details Sony's much vaunted DRM system will install a rootkit onto their computer. Right?
Someone get me this moron's address. I'm within punching range.
...I really hope this guy kicks Sony's ass.
What do I know, I'm just an idiot, right?
The root password was "password" after the random numer flaw was exposed in their encryption.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
So 75 million people out of the 77 million filed lawsuits with a day and half of notice. Where does this information come from? As one of the 77 million people, who received the message from PSN that my account info may have been accessed. I've been spending my time reviewing credit card purchases for the last week and requesting a new card number. Honestly I think this issue is just getting so over exaggerated because of panic and misinformation. Now granted alot of this is because of the legal vagueness of Sony's email. But I'd like some reference to these statistics before I'll accept them as facts.
This is the mail (in Spanish):
Add PlayStation_Network@playstation-email.com to your address book
PlayStation(R)Network
Estimado cliente de PlayStation Network/Qriocity:
Hemos descubierto que entre el 17 de Abril y el 19 de Abril de 2011,
determinada información de usuarios de PlayStation Network y Qriocity
fue puesta en compromiso en conexión con una intrusión ilegal no autorizada
en nuestro sistema. Como resultado, las medidas que hemos tomado hasta la
fecha son las siguientes:
1) Temporalmente cerrado los servicios de PlayStation Network y Qriocity.
2) Puesto en contacto con una agencia de seguridad externa de prestigio para
conducir una investigación exhaustiva de lo ocurrido; y
3) Rápidamente tomar las medidas necesarias para fortalecer nuestra infraestructura
en red, y reconstruir el sistema ofreciendo una mayor protección de vuestra información
personal.
Realmente apreciamos y agradecemos vuestra paciencia, y estamos trabajando
muy duro y haciendo todo lo necesario para resolver este problema de una
forma rápida y eficiente lo antes posible.
A pesar de estar todavía investigando los detalles de este incidente, creemos
que personas no autorizadas han podido obtener vuestra información personal:
nombre, dirección (ciudad, provincia, código postal), país, dirección de correo
electrónico, fecha de nacimiento, nombre de acceso y contraseña de PlayStation
Network/ Qriocity, y PSN ID. Es también posible que vuestros datos de perfil
así como historial de compra, y dirección de cobro hayan sido obtenidos.
Si habéis autorizado una subcuenta asociada a vuestra cuenta principal a
otra persona, la misma información de esta persona ha podido ser obtenida.
A pesar de no haber evidencia de que los datos de tarjeta de crédito hayan
sido obtenidos no podemos negar esta posibilidad. Si has facilitado tus
datos de tarjetas de crédito a través de PlayStation Network o Qriocity,
debemos contemplar por motivos de seguridad, la posibilidad de que el
número de la tarjeta de crédito (no incluyendo el código de seguridad),
y la fecha de expiración de la misma hayan sido también obtenidos.
Por vuestra seguridad, os recomendamos que seáis extremadamente cuidadosos
con estafas vía email, correo, o teléfono preguntando cualquier tipo de
información personal sensible. Sony nunca se pondría en contacto con vosotros
de ninguna manera, incluyendo correo electrónico, preguntando por vuestro
número de tarjeta de crédito, número de la seguridad social, identificación
de impuestos o cualquier otro tipo de información personal de identidad.
Si alguien se pone en contacto preguntando por este tipo de información,
os aseguramos que Sony no es la entidad que requiere esta información.
Adicionalmente, si usas el mismo nombre y contraseña que los usados para
PlayStation Network o Qriocity para otros servicios o cuentas no relacionados
con Sony, recomendamos que también sean modificados.
Para evitar un posible robo de identidad o perdida financiera, recomendamos
revisar regularmente el saldo y movimientos realizados en vuestras cuentas corrientes.
Os agradecemos vuestra paciencia hasta haber completado la investigación
de este incidente, y sentimos mucho las posibles molestias ocasionadas.
Nuestros equipos están trabajando sin descanso, y nuestros servicios serán
restablecidos lo antes posible. Sony se toma la protección de la información
muy en serio y continuará trabajando para asegurarse de que medidas adicionales
son tomadas para proteger dicha información. Proveer un servicio de
entretenimiento seguro y de calidad para nuestros consumidores es nuestra
prioridad principal.
Para mayor información contáctenos en 1-800-345-7669.
Sinceramente,
Sony Network Entertainment y Sony Computer Entertainment
thank you a lots
If sony spent less time patching PS3 firmware to prevent folks from doing what they want to with the systems they own and more time protecting customer data that would have never happened.
Would have been nice to have gotten an email from sony the day of the data breach rather then more then a week later.