Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Sued For PlayStation Network Data Breach

Posted by samzenpus on from the lick-em-while-their-down dept.

suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"

43 of 404 comments (clear)

  1. So it begins... by Anonymous Coward · · Score: 2, Funny

    the great battle of our time...

  2. Re:not taking reasonable care by Labcoat+Samurai · · Score: 3, Insightful

    Maybe this lawsuit will require them to come forward with the steps they *did* take. Up until now, it's largely been speculation. If they locked the door but left open a window, I want to know. And I want to know how open that window was left.

  3. He got notified? by FSWKU · · Score: 5, Insightful

    I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

    Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.

    If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.

    --
    "So after all this, you make my case for me. To end this stalemate, you must die..."
    1. Re:He got notified? by Labcoat+Samurai · · Score: 4, Funny

      I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

      Indeed. On the blog, I noticed some apologist in the comment section trying to defend Sony by saying that it takes a long time to send 77 million emails. Tell that to a spammer, I thought.

    2. Re:He got notified? by Bios_Hakr · · Score: 3, Interesting

      Definitely. I'd love to see Sony deal with 77M suits in small-claims court.

      At $500 per suit, that would be something like $38B.

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    3. Re:He got notified? by Bios_Hakr · · Score: 3, Informative

      It *needs* to happen. And happen big. Maybe after Sony files for bankruptcy, investors in other companies will start asking the CIO to ensure security at any cost.

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    4. Re:He got notified? by Destoo · · Score: 2

      I've just received my notice. What took time was the translation/localization to french, probably.

      It's still unacceptable, but at least I received it.

      --
      Nouvelles de jeux et technologies en français. TC
    5. Re:He got notified? by h4rr4r · · Score: 2, Informative

      Thats the risk the investors took. Don't like? Invest in more reputable companies.

    6. Re:He got notified? by c_jonescc · · Score: 2

      Maybe it's possible to work in one division of a major corporation and have no idea what the other divisions are doing. If so, my money's on the fact that the corporate legal team has made it such that separate divisions are indeed separate entities, and gross failure on the games division won't destroy the foundations of the other divisions.

      If you're company is not that big, take a clue from the corporate culture which is usually used to sell a potential employee - "we're sure you'll love it here, as our culture is such that mostly like minded people work here, and you're sure to get along with your co-workers". Does your division do things that are wrong? Then it's likely they all do. So, there's that for the 'poor employees' excuse.

      Investors are crap. Look at mutual funds. Do you have qualms about investing in something that has ties to modern pseudo-slavery or insane environmental malfeasance in the third world? Try to find a fund that excludes those potentials. Then you'll find the ethical funds that return a FRACTION of the others. Investors are trying to turn a buck, which is fair, but it's also fair if they lose money because no investment is guaranteed. Want investors to stop turning a blind eye as long as the returns are high? Then make sure they pay their share when the returns were earned through shitty practices.

      That said, I agree with what you say about the executives. They need to be punished for their decisions and not paid off with disregard to their ethics.

      --
      Getting diabetes AND salmonella would be a bad weekend.
    7. Re:He got notified? by jschottm · · Score: 2

      investors in other companies will start asking the CIO to ensure security at any cost

      Really? Any cost? There is no such thing as a completely secure network or computer (that provides a usable amount of capability) and getting to a high level can be very, very expensive. Are you willing to give up e-commerce? The ability to get government services online? Your gmail accounts? (Google, after all, quite publicly got hacked, yet you continue to use them.)

      Are you prepared to pay three, four, five, ten times as much for your phone and network connections?

      This is a major leak of personal information but it's nothing that should bankrupt a major corporation based on what's known now. The big reform that needs to happen is that identity fraud needs to get harder to do based on simple information like names, address, and DOB, significant amounts of which can already be found in public records.

    8. Re:He got notified? by mywhitewolf · · Score: 2

      Regardless of who you attempt to hold accountable, when the payouts are coming from the company the employees will always lose to some degree. yet people get fired all the time for things that aren't their fault because its in "the best interest of the company", we can't protect a dodgy company because it will cause some sort of unemployment. would we not send a father of 3 to jail for fraud just because his family survive of his ill gotten gains? why make that exception for a company?

    9. Re:He got notified? by FictionPimp · · Score: 4, Informative

      Not the AC, but here was my email

      Valued PlayStation(R)Network/Qriocity Customer:

      We have discovered that between April 17 and April 19, 2011,
      certain PlayStation Network and Qriocity service user account
      information was compromised in connection with an illegal and
      unauthorized intrusion into our network. In response to this
      intrusion, we have:

      1) Temporarily turned off PlayStation Network and Qriocity services;

      2) Engaged an outside, recognized security firm to conduct a full
      and complete investigation into what happened; and

      3) Quickly taken steps to enhance security and strengthen our
      network infrastructure by rebuilding our system to provide you
      with greater protection of your personal information.

      We greatly appreciate your patience, understanding and goodwill
      as we do whatever it takes to resolve these issues as quickly and
      efficiently as practicable.

      Although we are still investigating the details of this incident,
      we believe that an unauthorized person has obtained the following
      information that you provided: name, address (city, state, zip), country,
      email address, birthdate, PlayStation Network/Qriocity password and login,
      and handle/PSN online ID. It is also possible that your profile data,
      including purchase history and billing address (city, state, zip),
      and your PlayStation Network/Qriocity password security answers may
      have been obtained. If you have authorized a sub-account for your
      dependent, the same data with respect to your dependent may have
      been obtained. While there is no evidence at this time that credit
      card data was taken, we cannot rule out the possibility. If you have
      provided your credit card data through PlayStation Network or Qriocity,
      out of an abundance of caution we are advising you that your credit
      card number (excluding security code) and expiration date may have
      been obtained.

      For your security, we encourage you to be especially aware of email,
      telephone and postal mail scams that ask for personal or sensitive
      information. Sony will not contact you in any way, including by email,
      asking for your credit card number, social security number or other
      personally identifiable information. If you are asked for this information,
      you can be confident Sony is not the entity asking. When the PlayStation
      Network and Qriocity services are fully restored, we strongly recommend that
      you log on and change your password. Additionally, if you use your PlayStation
      Network or Qriocity user name or password for other unrelated services or
      accounts, we strongly recommend that you change them as well.

      To protect against possible identity theft or other financial loss, we
      encourage you to remain vigilant, to review your account statements and
      to monitor your credit reports. We are providing the following information
      for those who wish to consider it:
      - U.S. residents are entitled under U.S. law to one free credit report annually
      from each of the three major credit bureaus. To order your free credit report,
      visit www.annualcreditreport.com or call toll-free (877) 322-8228.

      - We have also provided names and contact information for the three major U.S.
      credit bureaus below. At no charge, U.S. residents can have these credit bureaus
      place a "fraud alert" on your file that alerts creditors to take additional steps
      to verify your identity prior to granting credit in your name. This service can
      make it more difficult for someone to get credit in your name. Note, however,
      that because it tells creditors to follow certain procedures to protect you,
      it also may delay your ability to obtain credit while the agency verifies your
      identity. As soon as one credit bureau confirms your fraud alert, the others
      are notified to place fraud alerts on your file. Should you wish to place a
      fraud alert, or should you have any questions regarding your credit report,
      please contact any one of the agencies listed below:

      Ex

  4. Ugghh! by Chubcorp · · Score: 2

    It takes time to find out what has been compromised. The hacker won't just come out and say "All your base are belong to us" Sony told us when they found out. If they did say that there is a possibility on day one that it may be compromised then there would be a lot of hectic and closing bank accounts on an hunch. If nothing had been compromised and they told us it may be (on day one) then people would be mad and still sued Sony for misleading them. Crap happens, suing doesn't make it better. Plus nobody said you had to create an account, nor did you pay for it.

  5. Here's to sinking Sony's battleship by cultiv8 · · Score: 5, Informative

    46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4

    --
    sysadmins and parents of newborns get the same amount of sleep.
    1. Re:Here's to sinking Sony's battleship by shish · · Score: 4, Funny

      If those are the grid references for the different pieces of Sony's battleship, I'm surprised it can float in the first place o_O

      --
      I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
  6. Re:not taking reasonable care by mysidia · · Score: 5, Informative

    I'm not sure I buy that first part, given that no online service is ever going to be 100% secure.

    Reasonable care would imply robustly isolating transaction processing systems and user accessible systems from systems that store primary account numbers such as credit card/bank account numbers from online/public access systems such as the internet, or the playstation network.

    Reasonable care would include complying with PCI requirements, relating to auditing, security practices, separation of computer systems by role, and enforcing strong unique access credentials for users and systems.

    So that a compromise of the publicly accessible network cannot lead to compromise of the account numbers.

    This is highly doable. The only commands/services the PSN/publicly accessible servers need from account servers is a command to "add a new account number" to the database linked to a certain customer, a command to "erase an account number", a command to list privacy-filtered summary to display a 'delete' user interface, and a command "authorize/charge a transaction to account number" (without revealing what the number actually is to the transaction processing server).

  7. Re:not taking reasonable care by Anonymous Coward · · Score: 3, Insightful

    Thank you Mr. Armchair Expert!

  8. DRM anyone? by lasinge · · Score: 5, Insightful

    It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them ... I had the longest password she had ever seen.

    --
    you are in a twisty maze of different passages.
  9. Well... by Anonymous Coward · · Score: 5, Interesting

    Actually I just got a notifaction from Sony abou this today.
    And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
    The CC's are already in the wild.
    I know Visa is aware of the issue. They have reissued me a new card based on this information.
    So yea it could go somewere

  10. Re:They sat on it for a week... by Darkness404 · · Score: 5, Insightful

    And sitting on something like this for a week -is- a problem. When you have possibly exposed the equivalent of 25% of the US population to credit card fraud, the world needs to know. This isn't some "oh whoops, one of our laptops is missing" instead this is a data breach affecting 77 million people. And to say -nothing- is completely irresponsible. A week is a pretty long time to not say -anything- and to just hope that it will go away.

    Even someone who has your personal information for a few hours can cause havoc in your life, let alone for an entire week.

    --
    Taxation is legalized theft, no more, no less.
  11. Check your EULA... you probably can't sue by artor3 · · Score: 3, Insightful

    Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice. They based this decision on a 90 year old law that was written to cover maritime shipping disputes.

    Of course, since most contracts these days state that the corporation has the right to change the terms at any time without notice, this basically means that you can no longer sue a company that you've entered into a contract with.

    Still think you have rights? Not as long as a Republican holds office!

    1. Re:Check your EULA... you probably can't sue by fermat1313 · · Score: 2, Informative

      Um, you completely don't understand this. Arbitration is a long-standing method of settling a dispute between parties. It is extremely common in Professional Services engagement agreements, and it is also very common in other service agreements. I'm quite sure almost every agreement you sign for internet, phone, electricity, cable TV, etc also includes arbitration language.

      Arbitration is a good thing. It allows small matters to be handled quickly, less expensively, and without mucking up our already congested court system. If you read the opinion, the court indicate that AT&T's arbitration agreement is specifically written to encourage the company to act in good faith. If a customer receives an arbitration award greater than the last written settlement offer, the customer gets $7,500 + twice any lawyer's fees. Clearly, AT&T has incentive to provide a good settlement. In this case, AT&T would have offered the plaintiffs $30.22, which is what the plaintiffs were (perhaps) wrongly charged in sales tax. Any decent arbitrator would have given the plaintiffs $30.22, which is what they were their real loss. Trust me, arbitration agreements are a good thing. Our court system would be practically non-functional without them.

    2. Re:Check your EULA... you probably can't sue by lenroc · · Score: 3, Informative

      Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice.

      Not true, actually. They ruled that customers that have signed a contract with a clause to that effect are bound to it. AFAIK, there is no settled case law saying that a shrinkwrap EULA is equivalent to a valid, signed contract.

    3. Re:Check your EULA... you probably can't sue by PRMan · · Score: 5, Informative

      Techdirt just found that 96% of awards in business vs consumer arbitration go to the business. Still stand by your statement?

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    4. Re:Check your EULA... you probably can't sue by cptdondo · · Score: 2

      Arbitration works well between equals, or those who have equal exposure, and in highly technical disputes like proifessional services where a jury of one's peers would be hard to find.

      That relationship does not hold for an individual customer against a company that is larger than most nations, and controls vast resources.

  12. Re:Good FUCKING Grief... by Anonymous Coward · · Score: 4, Insightful

    In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).

  13. Are the grounds for this lawsuit even valid? by Mad+Leper · · Score: 3, Insightful

    Hmm, something not right here.

    PSN is free, so it's hard to imagine how anyone is entitled to any compensation there unless it's through a goodwill gesture by Sony (which they definitely should do).
    No proof yet any credit cards have actually been compromised. And before you all get puffy and worked up, literally, NO PROOF of any CC problems that can be linked to the PSN breach have been proven (yet).
    There's no way the banks would allow Sony to have access to CC accounts without being regularly audited, never heard of any problems there. So I would think it's safe to assume they've been following safe business practices or else we would have heard something by now.
    According to latest reports, Sony reported the possibility of account & CC details being compromised a little over a day after they found out. Difficult to claim that's an egregious length of time given the circumstances.

    With all that plus the fact that it's common knowledge that Sony has been repeatedly targeted by hackers and thieves out of revenge for Sony having the audacity to protect their network and customers, this lawsuit is going to have a very difficult time making any headway.

      So what is exactly this lawsuit about? Since this originates in the US (the most litigious country in the world) I say it's just more ambulance chasing i.e. business as usual.

    1. Re:Are the grounds for this lawsuit even valid? by greg1104 · · Score: 2

      Look at the Davidson data breach class action lawsuit for a case extremely similar to this one. There's also the (still pending as far as I can tell) Citizens Financial Bank breach case. Not following the standards of the industry for securing this sort of data can absolutely lead to a class action settlement, even if there is no hard written security standard.

    2. Re:Are the grounds for this lawsuit even valid? by Nemyst · · Score: 2

      1) PSN is free, but that doesn't mean anything. The information I've given Sony have been given in the assumption that they would be kept with a modicum of safety. This was obviously not the case. It's even worse if the credit cards have indeed been compromised, in which case monetary compensation is far from being out of the question.

      2) Reported a day after, where? I'm sorry, but saying it somewhere on the internet doesn't count. If you don't contact your customers on agreed-upon areas (email is the sole official contact anybody registering has given them), you haven't reported anything. I've received the email this morning. That's not one day.

      3) Oh sure, so now because something's a target they're shielded from being dumb? Much of it is actually Sony reaping what they've sowed, but even notwithstanding that, it doesn't matter. If a bank gets a lot of frauds, does it mean it can stop paying back the customers?

    3. Re:Are the grounds for this lawsuit even valid? by vegiVamp · · Score: 2

      > PSN is free
      Playstation Plus isn't.

      > NO PROOF of any CC problems that can be linked to the PSN breach
      Pretty hard to prove in the best of cases. You could just as easily go the other way and have Sony prove someone else leaked the card. You'd need to track down the source of the fraudulent charges and keep tracking right to the source in both cases.

      > no way the banks would allow [...] without being regularly audited
      Are you really suggesting that banks audit their corporate customers' software, on a regular basis?

      > Sony reported [...] a little over a day after they found out
      Umm... they've taken PSN down a week ago. I only just today received notification. They reported 'external intrusion' on their blogs almost a week ago. That tells me the 'possibility' was known from way back then.

      --
      What a depressingly stupid machine.
    4. Re:Are the grounds for this lawsuit even valid? by Cederic · · Score: 2

      they didn't have enough data for real identity theft

      Well, no, they didn't have full DNA samples, photographs of all scars and tattoos and a voiceprint to enable full replication.

      I guess it's lucky that they can't do too much damage with name, address, date of birth, security question answers and credit card details.

      Care to share yours?

  14. Re:not taking reasonable care by TheEyes · · Score: 2

    The problem is that it is never a "well funded crime kingpin" and most often a 15-30 year old or an (ex) employee that noticed some gaping, obvious security flaw. Data breaches like this are rarely the work of huge "cyber gangs" and mostly the work of individuals who noticed some huge flaw that Sony had. The crime kingpins wouldn't bother with something like this because it is a whole lot easier to sell botnets with 3nl@rg3 y0ur p3n15 spam.

    Twenty years ago you may have been right, but these days botnets are a multi-million dollar operation, underground black markets sell botnet time just like Amazon sells computer cycles, and cyber-gangs sell credit card numbers for a few dollars a pop. Cracking isn't the sole province of bored kids typing away from their parents' basement anymore; it's an industry, staffed by professionals.

  15. Re:Class Action by fermat1313 · · Score: 5, Informative

    Wow, I don't think you actually read that document. That opinion had absolutely nothing to do with Products or Services, and it doesn't disable class status for lawsuits. It states that an arbitration agreement that disallows class arbitration is allowable. Basically, if you sign away your right to arbitration by class action, that is valid, and you can't later invoke class-wide arbitration.

    Lots of misinformation around here sometimes.

  16. Re:not taking reasonable care by DeadboltX · · Score: 5, Funny

    When I ran a server that contained sensitive customer data, I left the database open and without a password. That way if someone was going to hack me, I didn't have to buy a new password. Analogy fail.

  17. Re:Class Action by h4rr4r · · Score: 2

    Which means every contract consumers will deal with just had that clause added.

  18. Re:not taking reasonable care by Anonymous Coward · · Score: 2, Insightful

    Smart man. I leave my car unlocked too so the crack-heads can just take the $1.27 from my ashtray and save me the trouble of buying a new car window every time I park out on the street.

    Problem here is, it wasn't Sony's $1.27 that was lost. It was my stuff lost, and 77 million other people..... The biggest problem of all is that Sony did not alert their customers in a timely manner. Fuck Sony.

  19. Re:not taking reasonable care by ghjm · · Score: 2

    Well, storing the passwords in plaintext rather than hashed seems to me like a fundamental breach of any rational standard of care.

  20. Transaction servers should be write-only by Anonymous Coward · · Score: 2, Informative

    It should not be possible to get card data out of your transaction processing server. That should be obvious. It should be able to receive card data and a linked account, and accept and confirm transactions from the linked account, but it should be completely unable to transmit card data. Obviously, card data should not be stored outside the transaction processing server in any form, format or fashion.

  21. Re:First of all... by an+unsound+mind · · Score: 2

    Sony as an example of quality?

    Are you trolling us?

    Sony hardware is just as good quality-wise as the rest; only their prices are quite a bit above.

  22. Re:First of all... by Leebert · · Score: 2

    Sony hardware is just as good quality-wise as the rest; only their prices are quite a bit above.

    These days. Back in the days of the green power button, you could count on Sony to produce a pretty darn good product that was at least as good as any other competitor.

  23. Re:not taking reasonable care by The+Moof · · Score: 2

    Being an Xbox Live player (hate to say this cause its MS we are talking about) but you can enjoy gaming without the posibility for account Hijacking.

    That's actually not true. XBL support has a notoriously bad track record when it comes to social engineering and giving away your account details to attackers. There were quite a few articles about it a few years back (here's one from a quick search). I think it's actually more of a threat since a valid credit card is required for XBL Gold accounts.

  24. Re:not taking reasonable care by ciderbrew · · Score: 2

    No. that is not all that was lost. That data get put towards another pile of data. Just because you can't think of how to use it, doesn't mean that someone else can't leverage it.

  25. Re:not taking reasonable care by Legion303 · · Score: 2

    "For starters, they transmitted CC numbers in plain text over the Internet."

    No they didn't.

    They transmitted CC numbers over SSL over the internet, and some dipshit reinvented the wheel and "discovered" that he could spoof a cert on his own system and decrypt his own data, then he started claiming the info was sent unencrypted, and people like you read the headlines and started making the same claim everywhere else.

    Sony is an absolute shitfuck of a company (to coin a phrase), but you can't claim this one with a straight face.