Sony admitted this week that they suffered a major instrusion onto their network servers by a hacker or group. Their PSN (PlayStation Network for PlayStations and the PSP Go handheld gaming device) and Qriocity media services were affected. The outages started on April 20 and on the 22nd Sony admitted that there had been a malicious attack on the services. In a statement on the PlayStation blog, they admitted that user information was compromised.
According to Sony (emphasis added) : "Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information provided by PlayStation Network/Qriocity account holders: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password, login, and handle/PSN online ID. Other profile data may also have been obtained, including purchase history and billing address (city, state, zip). If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained. If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may also have been obtained."
It has been reported elsewhere that security questions have also been compromised.
This is a very damaging attack. It goes beyond the reach of the recent or even beyond attacks on retailers. It is important that anyone who has ever created an account on these services take the time to review their exposure.
- Your online presence. If you used the same password or identity on multiple sites, you will want to consider changing your passwords and even your security questions. All of the normal security checks (security questions, confirmation of your recent purchases, your address, birthdate) have been exposed and so the hacker or hackers involved (or third parties that they sell to or share with) will have the information to steal your other accounts.
- Email, phone and US mail contacts. You will have to be especially vigilant and distrustful of offers that may come from scammers and thieves. Consider again giving new email contacts to your trusted contacts and using free email services to have an email address that you can use with less important contacts. Maybe even get a Google Voice phone number to provide when you don't feel secure in sharing your home or cell phone number.
- Your credit card and banking information. With many banks offering secure online banking, perhaps make it part of your daily routine to review your accounts. Especially after you hear that your accounts may be compromised. You don't want to wait until the end of the month, or until your accounts have been depleted to notice that something is wrong.
- Talk to your kids. If your teenagers had their own online identity, talk to them about all of these same precautions. Scammers know that teenagers and even younger children are sometimes less sophisticated about the dangers of identity theft.
Sony is still investigating this matter and the networks are still offline. They have a lot to do to find out about the exact scope of this attack, who is behind it and how to assist their users in protecting their identities online. Users should be disappointed to hear that much of this information was unencrypted and stored as simple readable text. Whether or not Sony will be able to earn the trust of their community is to be seen. In the meantime, unfortunately, you will have to take your own protective measures.