Slashdot Mirror
Sony Sued For PlayStation Network Data Breach
suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"
That'll teach them.
the great battle of our time...
I'm not sure I buy that first part, given that no online service is ever going to be 100% secure. I understand that one should take prudent steps toward making a "best effort" in that regard, but at the end of the day, if some well-funded crime kingpin wants in, there probably isn't much you'd be able to do about it. It's the second one that has my blood boiling in sympathy, partly because this is practically Sony's trademark: if something goes wrong with their products, don't go public with it, don't acknowledge it, don't even think about it, and maybe it will go away!
So, they sat on it for a week...
And in the process, they are claiming that they do not have any reason to believe that Credit Card Information was actually accessed.
It seems as though the core concept of this case hinges on whether or not Credit Card numbers were actually accessed, which is something that Sony will definitely be going out of their way to hide, as it is grounds to show that all claims are ultimately invalid within this case.
In any case, there would need to be disclosed proof stating that not only Credit Card numbers *were* accessed, but that Sony *intentionally* went out of their way to hide this fact from their customers.
Seems flimsy at best.
So, this will probably turn into a class action lawsuit in the coming weeks. Lawyers will get incredibly rich, and those affected with get a free PS3 wallpaper or something.
Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"
Normally to sue a corporation over claimed negligence; you actually have to show that you were harmed.
Meaning, the plaintiff will probably have to show his inability to take mitigating actions due to Sony's negligence actually resulted in a loss or damages.
I suspect that will be difficult to pull off, unless his CC account was hacked / fraud was committed against him already as a result of the intrusion into Sony's network.
As for damages related to 'closing the account'.... if he were taking mitigating action, he would have to incur that loss regardless of whether Sony informed him earlier or not.
Now his bank and the payment card industry should be the ones taking the strongest stance against Sony; since it's the banks that most immediately bear the cost of fraud (due to policy of $0 liability for unauthorized account use; once the account owner identifies the transactions as fraudulent).
I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.
Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.
If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.
"So after all this, you make my case for me. To end this stalemate, you must die..."
It takes time to find out what has been compromised. The hacker won't just come out and say "All your base are belong to us" Sony told us when they found out. If they did say that there is a possibility on day one that it may be compromised then there would be a lot of hectic and closing bank accounts on an hunch. If nothing had been compromised and they told us it may be (on day one) then people would be mad and still sued Sony for misleading them. Crap happens, suing doesn't make it better. Plus nobody said you had to create an account, nor did you pay for it.
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4
sysadmins and parents of newborns get the same amount of sleep.
It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them ... I had the longest password she had ever seen.
you are in a twisty maze of different passages.
Actually I just got a notifaction from Sony abou this today.
And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
The CC's are already in the wild.
I know Visa is aware of the issue. They have reissued me a new card based on this information.
So yea it could go somewere
So he's after recovery of damages, but so far it doesn't indicate that he's experienced fraud, and it's not going to come out of his pocket anyways (the credit card company would handle any fraudulent charges).
He also wants credit card monitoring services, but it's not exactly clear that Sony would not have offered such services. It sounds like they're still investigating the extent of the breach. By making it part of the lawsuit, just how long will it take to get the services? After the lawsuit has been settled several months from now? I'd bet that he'd get the services a lot sooner through public pressure than as a remedy of a lawsuit.
Which leaves the third part of what he seeks - recovery of lawyer fees. Now it's pretty clear why this lawsuit exists at this stage - the opportunity for the lawyers to get rich in the name of consumer protection.
Well, you could always argue that being without your credit card for a week while waiting on your bank to issue another one is "damaging" to one's quality of life.
If they need to take time out of their day to go to the bank to get cash from a human, the additional time spent conducting cash transactions versus the use of cards, the time to get your accounts updated to use the new Card Number to prevent your power from being shut off, and so on, then "damages" can actually be shown.
Not much different from the random times when your wallet is stolen.
Thirty four characters live here.
They really messed up this time! life is a bitch aint it?
Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice. They based this decision on a 90 year old law that was written to cover maritime shipping disputes.
Of course, since most contracts these days state that the corporation has the right to change the terms at any time without notice, this basically means that you can no longer sue a company that you've entered into a contract with.
Still think you have rights? Not as long as a Republican holds office!
Also a good idea to not use real names and push credit card companies to develop a system of one-time tokens that are only good for a single buyer-seller relationship ( or even for a single translation ) so that the stolen information has little value.
In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).
Hmm, something not right here.
PSN is free, so it's hard to imagine how anyone is entitled to any compensation there unless it's through a goodwill gesture by Sony (which they definitely should do).
No proof yet any credit cards have actually been compromised. And before you all get puffy and worked up, literally, NO PROOF of any CC problems that can be linked to the PSN breach have been proven (yet).
There's no way the banks would allow Sony to have access to CC accounts without being regularly audited, never heard of any problems there. So I would think it's safe to assume they've been following safe business practices or else we would have heard something by now.
According to latest reports, Sony reported the possibility of account & CC details being compromised a little over a day after they found out. Difficult to claim that's an egregious length of time given the circumstances.
With all that plus the fact that it's common knowledge that Sony has been repeatedly targeted by hackers and thieves out of revenge for Sony having the audacity to protect their network and customers, this lawsuit is going to have a very difficult time making any headway.
So what is exactly this lawsuit about? Since this originates in the US (the most litigious country in the world) I say it's just more ambulance chasing i.e. business as usual.
Well, I recieved 'official' notification about this approximately 2 hours ago - 8.55am, April 28 (Aus EST). The email is vague hand waving at best, and they suggest once that the service is restored, the you change passwords and check your credit card statement. Of course, they couldn't have my CC details, because Sony wouldn't have stored such information in plain text, now would they...?
Usually I am against the rampant lawsuits over hot coffee and anything else the shills can think of, but this is one I am in favor of.
Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye, and deservedly so.
Now if we could just get the pharmaceutical companies.......
Linux computers, watercooled, photography
This is one week after the shutdown:
"Add PlayStation_Network@playstation-email.com to your address book
"line" (to account for the junk filter)
PlayStation(R)Network
"line" (to account for the junk filter)
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.
While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.
Please contact us at 1-800-345-7669 should you have any additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
"The avalanche has already started. It's too late for the pebbles to vote." - Kosh
They could have warned you but they didn't. They knew it would cause panic and this panic could cause them to lose some customers.
Now we know 77 million customers are owned by hackers. We can thank Sony for waiting so long to tell us, and we can thank Sony also for caring more about DRM and security of their intellectual property than the security of personal critical consumer information.
What? Is your private information not as important or as valuable as theirs? I wonder how many celebrities and powerful families got their personal information compromised over this...
46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4
I intend to be elsewhere when the 70 million PSN account holders get a real live geek within their sights.
It is not going to be pretty.
Not to mention the money and firepower backing up those who sell products and services through PSN -
and the banks who finance and service the transactions. They too will be out for blood.
Given that Sony simply imported the data from one "child" company to another I don't expect that the owner of the company matters. It interests me that by closing the service on one company and opening it on another (along with a completely new TOS), would clauses regarding forcing a customer to use arbitration then be rendered void? The EULA is a legal document which supposedly forms a contract between one party and another; by failing to continue to provide service on the original company sony has breached that contract.
What of the millions (of 77+ I'm sure there's a few) who have yet to agree to the new EULA. Even in the case that one or both EULAs contain requirements that users handle disputes through arbitration I'd expect many individuals would not be held to these requirements at all.
Any lawyers care to correct me?
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Sue the crap out of them and be rich, otherwise you'll just probably end up with free X days the service was down, and your lawyer will be rich instead.
Yeah, so, they'll get a fine to offer affected customers a free downloadable game right? So what, they're just Custopeons.
But if you copy their game first, you're going DOWN terrorist!!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye
It isn't Sony getting its reputation blackened. It is Anonymous, the geek, the cheat, the thief and the hacker, which the public sees as all of one kind.
This one is looking like a global crime network with money laundering facilities and boots on the ground. This one is going to sting, based on some reports of illicit card accesses that have happened in the past week.
Help stamp out iliturcy.
It should not be possible to get card data out of your transaction processing server. That should be obvious. It should be able to receive card data and a linked account, and accept and confirm transactions from the linked account, but it should be completely unable to transmit card data. Obviously, card data should not be stored outside the transaction processing server in any form, format or fashion.
If I remember correctly, the post from yesterday mentioned that included among the data that was compromised were CVV2 codes (that 3-digit code on the back of your CC).
Here's an interesting point about storing CVV2 codes...
http://en.wikipedia.org/wiki/Card_security_code
For that alone, Sony should have all of its merchant accounts revoked immediately.
Because clearly, it's Sony's fault-- and not the hackers' fault-- that the hackers broke into Sony's network. Sony's questionably ethical business practices do not warrant them the blame. He's suing the wrong people, all Sony is going to do is throw their EULA in his face.
Hey! Who told you my password?
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
I got this e-mail from Sony this morning. A little late, perhaps? <sarcasm>
Though here's a question: How many other companies have the backbone to own up quite so readily, instead of trying to cover it up to save face?
Don't get me wrong, I'm not trying to defend Sony (after all, it seems thay they're finally getting help to make their system more secure, implying that their efforts were not solid enough to start with). But what I am saying is that I generally don't trust businesses to keep secure personal and credit card information, which is why I didn't give Sony my credit card details (but sadly had to give my personal information.)
These companies are all interlinked and they deserve a good suing. 77 million users cannot be wrong.... take that on the chin you cnuts!
All cows eat grass!
That's just retarded, really? Why is Slashdot so full of trolling anti-Sony's? Have you ever been a systems administrator? It takes time and effort to actually detect and then judge the severity of a given attack. One week does not seem like a big deal from -woops we have a big problem- to sending out a formal acknowledgement of the issue. Hell, it would take at LEAST 1 day for a Sony rep to officially write up the disclosure in legally tin foil jargon and probably another for the notice to be translated into every language that Sony officially supports.
Bye!
Hell, it would take at LEAST 1 day for a Sony rep to officially write up the disclosure in legally tin foil jargon and probably another for the notice to be translated into every language that Sony officially supports.
that there is a massive problem in itself, I think you are probably right but for their sake I hope your wrong as it says they were more concerned about their own arses than ensuring people were informed of the issue. In these cases the users at risk should be EVERYONES first priority, I hope it was just a case of it taking that long to sift through logs to track down what had happened and that then then immediately released the information (ie within a hour or 2 of knowing) otherwise I hope they get sued to hell and back.
This would not happen to amazon, paypal or any other instance with 77 million users - with sensitive personal data. I'm still hoping that it wasn't criminally motivated intrusion. There is still a tiny chance, that the one who did it was just proving a point. Tried to play something last night, but it didn't feel the same any more. Might say that now i know how abused spouses feel.
is it just me or does a certen hacker would have a reasion to desotry sonys network and get sony sued and this certen persion would have the talent to pull it off heh, but relly sony did need this realty check they have been riding a hi horse and even thretning custmers with moddded systems its nice to see the knife pointed at them. and the sad fact is the guy who is sueing is totaly correct sont was way overzaules that there ps3 and network could not ever be hacked and didnt bother to encrypt shit past the first stage of securty why we have the keys for both psp and ps3 and someone got dev acess to the entire network. who knoes what relly happond thow maybe it was a case of a disgruntled dev.
Wait a Minute... Didn't they take away the Install Another OS feature due to "security concerns."
And now the PSN has been hacked, my information taken and I'm now at risk of fraudulent credit card charges....
I'm sorry but where's my check????
You've made an enemy out of a lot of the community.
I have 2 PS3's and 25 games on my shelf.
LEGITIMATE games.
Do you know why I purchased a PS3? The real reason I orginally purchased it? There was 2 reasons.
1 was God of War 3, which took 2 years after I got the thing and was surprisingly not as good as #2
2 XBMC was rumoured to be coming to PS3, via the loophole to the hypervisor through linux. More beautiful XBMC goodness.
You closed that loophole and I STILL forgave you because I loved the games, I forgave you guys for a lot of shit, a LOT - I even put up with taking linux away - but this Geohot thing was the final straw.
Even if my details are compromised as one of the customers, who cares. GOOD - fuck you assholes for treating the customers with utter contempt.
Looks like Hitler will join the suit
"We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
it should be Visa and Mastercard. I doubt Discover would; they're just happy to be finally noticed by scammers.
This really doesn't surprise me at all. Sony has historically had a horrible customer service model in pretty much all of its products and services. I remember the days of dealing with Sony Online Entertainment, and realizing this was the wrong way to do business with people. The company has always been top down directed, in that they respond only when faced with a scandal or its customers start leaving in mass, which was done in the early days of Everquest due to some horrid PR decisions they were making. Fast forward to so many of their stupid responses and actions in other areas, like trying to maintain control over the music market, and now this debacle of PR with the playstation, and it really shouldn't surprise anyone else either. Sony historically thinks of Sony first, and the customers are only there to pay the salaries of those who feel they are unreproachable. Duane Gundrum http://www.duanegundrum.com/
Sarbonn's blog: http://www.sarbonn.com/blog
I am sure that if anyone tries to use these credit card details Sony's much vaunted DRM system will install a rootkit onto their computer. Right?
...I really hope this guy kicks Sony's ass.
What do I know, I'm just an idiot, right?
Most of these kinds of contracts allow the company to assign their rights in the contract to another party.
The root password was "password" after the random numer flaw was exposed in their encryption.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
So 75 million people out of the 77 million filed lawsuits with a day and half of notice. Where does this information come from? As one of the 77 million people, who received the message from PSN that my account info may have been accessed. I've been spending my time reviewing credit card purchases for the last week and requesting a new card number. Honestly I think this issue is just getting so over exaggerated because of panic and misinformation. Now granted alot of this is because of the legal vagueness of Sony's email. But I'd like some reference to these statistics before I'll accept them as facts.
This is the mail (in Spanish):
Add PlayStation_Network@playstation-email.com to your address book
PlayStation(R)Network
Estimado cliente de PlayStation Network/Qriocity:
Hemos descubierto que entre el 17 de Abril y el 19 de Abril de 2011,
determinada información de usuarios de PlayStation Network y Qriocity
fue puesta en compromiso en conexión con una intrusión ilegal no autorizada
en nuestro sistema. Como resultado, las medidas que hemos tomado hasta la
fecha son las siguientes:
1) Temporalmente cerrado los servicios de PlayStation Network y Qriocity.
2) Puesto en contacto con una agencia de seguridad externa de prestigio para
conducir una investigación exhaustiva de lo ocurrido; y
3) Rápidamente tomar las medidas necesarias para fortalecer nuestra infraestructura
en red, y reconstruir el sistema ofreciendo una mayor protección de vuestra información
personal.
Realmente apreciamos y agradecemos vuestra paciencia, y estamos trabajando
muy duro y haciendo todo lo necesario para resolver este problema de una
forma rápida y eficiente lo antes posible.
A pesar de estar todavía investigando los detalles de este incidente, creemos
que personas no autorizadas han podido obtener vuestra información personal:
nombre, dirección (ciudad, provincia, código postal), país, dirección de correo
electrónico, fecha de nacimiento, nombre de acceso y contraseña de PlayStation
Network/ Qriocity, y PSN ID. Es también posible que vuestros datos de perfil
así como historial de compra, y dirección de cobro hayan sido obtenidos.
Si habéis autorizado una subcuenta asociada a vuestra cuenta principal a
otra persona, la misma información de esta persona ha podido ser obtenida.
A pesar de no haber evidencia de que los datos de tarjeta de crédito hayan
sido obtenidos no podemos negar esta posibilidad. Si has facilitado tus
datos de tarjetas de crédito a través de PlayStation Network o Qriocity,
debemos contemplar por motivos de seguridad, la posibilidad de que el
número de la tarjeta de crédito (no incluyendo el código de seguridad),
y la fecha de expiración de la misma hayan sido también obtenidos.
Por vuestra seguridad, os recomendamos que seáis extremadamente cuidadosos
con estafas vía email, correo, o teléfono preguntando cualquier tipo de
información personal sensible. Sony nunca se pondría en contacto con vosotros
de ninguna manera, incluyendo correo electrónico, preguntando por vuestro
número de tarjeta de crédito, número de la seguridad social, identificación
de impuestos o cualquier otro tipo de información personal de identidad.
Si alguien se pone en contacto preguntando por este tipo de información,
os aseguramos que Sony no es la entidad que requiere esta información.
Adicionalmente, si usas el mismo nombre y contraseña que los usados para
PlayStation Network o Qriocity para otros servicios o cuentas no relacionados
con Sony, recomendamos que también sean modificados.
Para evitar un posible robo de identidad o perdida financiera, recomendamos
revisar regularmente el saldo y movimientos realizados en vuestras cuentas corrientes.
Os agradecemos vuestra paciencia hasta haber completado la investigación
de este incidente, y sentimos mucho las posibles molestias ocasionadas.
Nuestros equipos están trabajando sin descanso, y nuestros servicios serán
restablecidos lo antes posible. Sony se toma la protección de la información
muy en serio y continuará trabajando para asegurarse de que medidas adicionales
son tomadas para proteger dicha información. Proveer un servicio de
entretenimiento seguro y de calidad para nuestros consumidores es nuestra
prioridad principal.
Para mayor información contáctenos en 1-800-345-7669.
Sinceramente,
Sony Network Entertainment y Sony Computer Entertainment
The moment they shut down, emails should have gone out that say there has been a breach, and they are investigating.
This is not a system admin issue, it's a management issue. A bad decision to not inform customers.
And the legal Jargon is boiler plate.
I have been in situations like this, admittedly no 75million people, but in principle it's the same.
Shut the networks
Notify customers of a down time do you possible breach.
Update every 12 hours on any progress. Even if the update is just a post saying it's ongoing.
Can you imagine you ISP shutting down all of a sudden an not notifying you for over a day?
The Kruger Dunning explains most post on