Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Sued For PlayStation Network Data Breach

Posted by samzenpus on from the lick-em-while-their-down dept.

suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"

13 of 404 comments (clear)

  1. He got notified? by FSWKU · · Score: 5, Insightful

    I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

    Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.

    If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.

    --
    "So after all this, you make my case for me. To end this stalemate, you must die..."
    1. Re:He got notified? by Labcoat+Samurai · · Score: 4, Funny

      I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

      Indeed. On the blog, I noticed some apologist in the comment section trying to defend Sony by saying that it takes a long time to send 77 million emails. Tell that to a spammer, I thought.

    2. Re:He got notified? by FictionPimp · · Score: 4, Informative

      Not the AC, but here was my email

      Valued PlayStation(R)Network/Qriocity Customer:

      We have discovered that between April 17 and April 19, 2011,
      certain PlayStation Network and Qriocity service user account
      information was compromised in connection with an illegal and
      unauthorized intrusion into our network. In response to this
      intrusion, we have:

      1) Temporarily turned off PlayStation Network and Qriocity services;

      2) Engaged an outside, recognized security firm to conduct a full
      and complete investigation into what happened; and

      3) Quickly taken steps to enhance security and strengthen our
      network infrastructure by rebuilding our system to provide you
      with greater protection of your personal information.

      We greatly appreciate your patience, understanding and goodwill
      as we do whatever it takes to resolve these issues as quickly and
      efficiently as practicable.

      Although we are still investigating the details of this incident,
      we believe that an unauthorized person has obtained the following
      information that you provided: name, address (city, state, zip), country,
      email address, birthdate, PlayStation Network/Qriocity password and login,
      and handle/PSN online ID. It is also possible that your profile data,
      including purchase history and billing address (city, state, zip),
      and your PlayStation Network/Qriocity password security answers may
      have been obtained. If you have authorized a sub-account for your
      dependent, the same data with respect to your dependent may have
      been obtained. While there is no evidence at this time that credit
      card data was taken, we cannot rule out the possibility. If you have
      provided your credit card data through PlayStation Network or Qriocity,
      out of an abundance of caution we are advising you that your credit
      card number (excluding security code) and expiration date may have
      been obtained.

      For your security, we encourage you to be especially aware of email,
      telephone and postal mail scams that ask for personal or sensitive
      information. Sony will not contact you in any way, including by email,
      asking for your credit card number, social security number or other
      personally identifiable information. If you are asked for this information,
      you can be confident Sony is not the entity asking. When the PlayStation
      Network and Qriocity services are fully restored, we strongly recommend that
      you log on and change your password. Additionally, if you use your PlayStation
      Network or Qriocity user name or password for other unrelated services or
      accounts, we strongly recommend that you change them as well.

      To protect against possible identity theft or other financial loss, we
      encourage you to remain vigilant, to review your account statements and
      to monitor your credit reports. We are providing the following information
      for those who wish to consider it:
      - U.S. residents are entitled under U.S. law to one free credit report annually
      from each of the three major credit bureaus. To order your free credit report,
      visit www.annualcreditreport.com or call toll-free (877) 322-8228.

      - We have also provided names and contact information for the three major U.S.
      credit bureaus below. At no charge, U.S. residents can have these credit bureaus
      place a "fraud alert" on your file that alerts creditors to take additional steps
      to verify your identity prior to granting credit in your name. This service can
      make it more difficult for someone to get credit in your name. Note, however,
      that because it tells creditors to follow certain procedures to protect you,
      it also may delay your ability to obtain credit while the agency verifies your
      identity. As soon as one credit bureau confirms your fraud alert, the others
      are notified to place fraud alerts on your file. Should you wish to place a
      fraud alert, or should you have any questions regarding your credit report,
      please contact any one of the agencies listed below:

      Ex

  2. Here's to sinking Sony's battleship by cultiv8 · · Score: 5, Informative

    46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4

    --
    sysadmins and parents of newborns get the same amount of sleep.
    1. Re:Here's to sinking Sony's battleship by shish · · Score: 4, Funny

      If those are the grid references for the different pieces of Sony's battleship, I'm surprised it can float in the first place o_O

      --
      I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
  3. Re:not taking reasonable care by mysidia · · Score: 5, Informative

    I'm not sure I buy that first part, given that no online service is ever going to be 100% secure.

    Reasonable care would imply robustly isolating transaction processing systems and user accessible systems from systems that store primary account numbers such as credit card/bank account numbers from online/public access systems such as the internet, or the playstation network.

    Reasonable care would include complying with PCI requirements, relating to auditing, security practices, separation of computer systems by role, and enforcing strong unique access credentials for users and systems.

    So that a compromise of the publicly accessible network cannot lead to compromise of the account numbers.

    This is highly doable. The only commands/services the PSN/publicly accessible servers need from account servers is a command to "add a new account number" to the database linked to a certain customer, a command to "erase an account number", a command to list privacy-filtered summary to display a 'delete' user interface, and a command "authorize/charge a transaction to account number" (without revealing what the number actually is to the transaction processing server).

  4. DRM anyone? by lasinge · · Score: 5, Insightful

    It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them ... I had the longest password she had ever seen.

    --
    you are in a twisty maze of different passages.
  5. Well... by Anonymous Coward · · Score: 5, Interesting

    Actually I just got a notifaction from Sony abou this today.
    And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
    The CC's are already in the wild.
    I know Visa is aware of the issue. They have reissued me a new card based on this information.
    So yea it could go somewere

  6. Re:They sat on it for a week... by Darkness404 · · Score: 5, Insightful

    And sitting on something like this for a week -is- a problem. When you have possibly exposed the equivalent of 25% of the US population to credit card fraud, the world needs to know. This isn't some "oh whoops, one of our laptops is missing" instead this is a data breach affecting 77 million people. And to say -nothing- is completely irresponsible. A week is a pretty long time to not say -anything- and to just hope that it will go away.

    Even someone who has your personal information for a few hours can cause havoc in your life, let alone for an entire week.

    --
    Taxation is legalized theft, no more, no less.
  7. Re:Good FUCKING Grief... by Anonymous Coward · · Score: 4, Insightful

    In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).

  8. Re:Class Action by fermat1313 · · Score: 5, Informative

    Wow, I don't think you actually read that document. That opinion had absolutely nothing to do with Products or Services, and it doesn't disable class status for lawsuits. It states that an arbitration agreement that disallows class arbitration is allowable. Basically, if you sign away your right to arbitration by class action, that is valid, and you can't later invoke class-wide arbitration.

    Lots of misinformation around here sometimes.

  9. Re:not taking reasonable care by DeadboltX · · Score: 5, Funny

    When I ran a server that contained sensitive customer data, I left the database open and without a password. That way if someone was going to hack me, I didn't have to buy a new password. Analogy fail.

  10. Re:Check your EULA... you probably can't sue by PRMan · · Score: 5, Informative

    Techdirt just found that 96% of awards in business vs consumer arbitration go to the business. Still stand by your statement?

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...