Skip Links

The Sony PlayStation Network breach: An identity-theft bonanza

Massive Sony PlayStation data breach puts about 77 million people at higher risk of fraud

By , Network World
April 27, 2011 04:15 PM ET

Network World - The massive Sony PlayStation Network data breach that exposed personal and password information -- and possibly credit cards -- of an estimated 77 million people is an identity-theft bonanza.

"This is a gold mine to break into other accounts," says Rod Rasmussen, president and chief technology officer at Internet Identity, a technology and services provider that helps guard against corporate brand-name damage and data loss on the Internet. He says the mountain of customer information gained by the Sony PlayStation Network attacker will facilitate email phishing attacks as well as attempts to break into other types of accounts, since people often use the same passwords for their various accounts. He urges anyone impacted by the Sony PlayStation Network breach to change any similar password they use elsewhere.

MORE ON SONY BREACH: Sony PlayStation personal user data stolen | Your FAQs answered

Sony Computer Entertainment and Sony Network Entertainment yesterday acknowledged that an "unauthorized person" has stolen the following kinds of information that was provided by its by PlayStation and Qriocity customers: "Name, address, country, email, address, birth date, PlayStation Network/Qriocity password and login and handle/PSN online ID." Sony took its PlayStation Network offline last week and yesterday disclosed what it knows so far about the massive breach.

The Sony division said sub-accounts for dependents were also compromised, adding, "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit-card data through PlayStation Network or Qriocity, out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration data may have been obtained."

Information being quietly shared by companies under contract to Sony suggest that there was a massive denial-of-service attack against the Sony network right before the actual network break-in when the data was stolen, says Paul Henry, security and forensics analyst at Lumension.

Although the vigilante hacker group Anonymous is denying involvement, Henry says nothing can be ruled out right now. Anonymous had been in a sort of feud with Sony due to the company's lawsuit against a hacker who had released code to make it possible to run homemade games on PlayStation 3 as well as pirated software.

But PlayStation users need to be aware that the massive haul of their personal data means "everything is there for full-blown identity theft, except the Social Security numbers," Henry emphasizes.

Henry predicts there will likely be phishing campaigns by the attackers -- or whoever buys the stolen personal information from the attackers -- to try to get those Social Security numbers. With Social Security numbers, it's not hard to commit financial fraud related to loans or new credit cards, for instance. Henry urges PlayStation victims to contact the three credit-reporting agencies to put a "credit alert" on their accounts so that "no credit can be established without your notification and consent."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News