 |
| Image courtesy of DeclanTM |
Sony stated that between 17 and 19 April 2011, an unauthorised person obtained PSN user information including names, addresses, email addresses, birth dates, usernames, passwords, logins, security answers and purchase history. Most significantly, Sony could not rule out the possibility that credit card data had been taken.
With approximately 77 million account holders affected, the security breach has been dubbed one of the largest thefts of user information on record.
Sony's response
There is no indication as yet from Sony as to how the breach occurred.
Sony have since engaged an external security firm to conduct an investigation into the breach. The FBI has also been informed of the breach, and Sony has begun rebuilding its system in an effort to prevent future breaches. Sony has liaised with three major United States credit bureaus to offer United States customers the option of placing a 'fraud alert' on their credit file to ensure tighter credit security.
Public scrutiny
Sony has come under particular heat due to its delay in publicly announcing the breach. Although Sony appears to have learned of the intrusion on 19 April 2011, customers were not informed until one week later. This is despite Sony turning off both the PSN and Qriocity services in the interim. Sony has explained that its knowledge of the intrusion came before the company learnt of the full scope of the breach and its potential effect on consumers' data.
On 27 April 2011, the first lawsuit was filed in the United States District Court against Sony by a PSN user. The law suit seeks class action status and claims that Sony failed to maintain 'adequate computer data security of consumer personal data and financial data', and 'unduly delayed' notifying the public. This delay prevented customers from taking mitigating actions such as closing their accounts, checking their credit card reports, or changing their credit card number. Amongst the relief claimed is monetary compensation and an order that Sony pay for credit card monitoring for the plaintiff and all members of the class.
Claim against Sony such as this may, however, be challenging to make out, in light of PSN and Qriocity's Terms of Service and User Agreement, under which Sony expressly excludes all liability 'for loss of data or unauthorised access to [user] data'.
Australian consumers
Sony Australia has confirmed that Australian consumers have been amongst those affected.
The New South Wales Police Fraud Squad has warned Australian customers to be vigilant of identity crime and phishing in the aftermath of the breach, advising that consumers should cancel their credit cards, change their passwords if they use their PSN password for other services or, at the very least, notify their bank that their information has been compromised.
And the Australian Privacy Commissioner has stated that he intends to launch an Own Motion Investigation into the matter.
Partner: Paul Kallenbach
