- Subscribe to JETLaw
- Volume 15
- Volume 14
- Volume 13
- Volume 12
- Volume 11
- Volume 10
- Volume 9
- Volume 8
- Volume 7
- Volume 6
- Volume 5
- Volume 4
- Volume 3
- Volume 2
- Publish With JETLAW
Shortly after Japan’s devastating earthquake and tsunami closed 10 of its facilities, Sony Corp. is fighting a new one-two punch. In late April 2011, Sony was investigating denial-of-service attacks on its PlayStation Network servers when criminal hackers exploited the server’s vulnerability and stole data from 77 million user accounts. Later, on May 2, 2011, Sony informed consumers that its PC games network had also been exposed during the breach, leaving up to 24.6 million PC games accounts at risk. The staggering amount of personally identifiable information taken ranks as one of the biggest data breaches in history.
Although the extent of the breach is not yet fully clear, Sony appears to be fighting battles on multiple fronts– against public criticism, two sets of hackers, and scrutiny by the federal government. And now, while Sony has publicly stated that it “has no evidence” that users’ credit card numbers were exposed during the data breach, at least one group of hackers has publicly boasted that it is
extorting trying to sell 2.2 million credit card numbers– allegedly obtained during the breach– back to Sony.
While Sony was undoubtedly a victim of criminal hackers, many have publicly critized Sony’s response to the data breach instead of blaming the hackers. Specifically, although Sony began investigating its PlayStation servers for possible intrusions on April 19th, Sony did not notify customers of the breach until April 26th. Yet as more details emerge about Sony’s actions during those seven days, a far more complicated picture arises than critics seem to recognize. The following is a brief timeline of how Sony responded (PDF) to the possible data breach.
April 19, 2011, 4:15pm PDT: Sony’s network service team notices unusual rebooting of PlayStation servers; the team begins running tests and triggers an investigation into the matter.
April 20,2011: Tests find an unauthorized intrusion occurred, but more tests will have to be run in order to determine what data was exposed. Out of an abundance of caution, Sony shuts down the PlayStation Network system and hires an outside security and forensic consulting firm to begin more in-depth investigations.
April 21, 2011: Sony hires a second security firm to investigate.
April 22, 2011: Sony notifies the Federal Bureau of Investigation (FBI) of its suspicions, while forensic experts continue running tests.
April 26, 2011: Sony notifies the public of the breach.
While critics villify Sony for failing to notify consumers sooner, the sequence of events outlined above demonstrates that instead of passively responding to a possible data breach, Sony acted cautiously and vigorously to protect customer data, by triggering a complex investigation into the matter. Granted, the security measures Sony had in place to protect customer information could be significantly improved. While credit card information was encrypted, other identifying information– like birth dates, names, and passwords– were not. The company plans to add additional firewalls, enhance levels of encryption, add automated software monitoring and other safeguards to prevent another massive data breach.
Sony now believes that it knows how the breach happened, but still does not know who waged the large-scale cyber-attack on its servers. However, during the investigation, the security team found a file on the server that was titled ”Anonymous,” containing the words, “We are Legion.” Anonymous is a group of hackers that attacked the websites of major credit-card firms this past December. While Anonymous admitted it was behind the denial-of-service attack– allegedly in retaliation for Sony’s suit against a hacker– the group denied any involvement in the theft of consumer data.
While we wait to learn who was responsible for the data theft, the U.S. House of Representatives appears to be considering ways to prevent another data breach. On May 4, 2011, the Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing, and Trade, held a hearing on Data Security. The Federal Trade Commission (FTC) appeared (PDF) before the Subcommittee to propose that Congress enact federal legislation that would set standards for data security and require companies to notify customers of security breaches. The FTC suggests a policy of privacy by design, whereby companies will incorporate reasonable security measures and safeguards into their business practices.
Although in retrospect, Sony should have had stronger safeguards in place to protect customer data, the company’s proactive response to the massive data breach was appropriate. What is perhaps a greater problem is the public’s response to the breach. Rather than blaming the hackers who executed denial-of-service attacks and those who exploited the disabled servers to steal sensitive data , both the public and public officials have harshly criticized Sony, without pointing fingers at the true party at fault: the hackers. While federal legislation may be necessary to ensure that companies protect customer data, customer information will remain at risk if public opinion remains ambivalent about hackers.
– Ilana Kattan