The Sony Wake-up Call: Time to Get Serious About Data Protection
I understand why Sony might not have felt a great need to hack-proof its databases. While a few of the gamers responding to Sony's blog updates about the breaches acknowledged some concern about the potential of having their credit card numbers circulating freely in the darker regions of cyberspace, most of them simply wanted to know when the network would be back up so they could resume playing their games.
05/06/11 5:00 AM PT
Most of the talk about protecting users' privacy on the Web has centered on preventing the collection of information that would aid companies in creating targeted ad campaigns.
I appreciate the efforts of all those people -- from the myriad consumer watchdog groups to former presidential candidates Sens. John Kerry and John McCain -- pushing for legislation that would protect me from the annoyance of spam emails and popup ads. But I wish they would expend more time and energy looking for ways to stop data breaches like those experienced by Sony the past couple of weeks.
That type of privacy invasion has the potential to inflict much more damage on consumers than simply sharing users' browsing habits with advertisers.
In the Sony case, hackers were able to get consumers' actual credit card numbers -- and they didn't get them from users. They got them on the backend, by infiltrating Sony's supposedly secure databases.
That's where the real effort to protect users' personal information should be focused. There are many scary elements to the Sony breaches, starting with the sheer number of user accounts that were compromised.
Sony admits that hackers gained accessed to more than 100 million accounts connected to three different online services -- its PlayStation social gaming network, its Qriocity online music and video service, and the Sony Online Entertainment platform that gives users access to video games on PCs.
It's still unclear how many actual credit card numbers were pilfered in these attacks. Sony has acknowledged that a minimum 20,000 credit card and bank account numbers were lifted in the SOE hack. It also said more than 12 million of the 77 million subscribers to the PlayStation Network have credit card information stored on that platform.
Those people should be especially worried about the press reports that hackers have been complaining in online forums that the Sony attacks have put so many credit card numbers into circulation that it could depress selling prices for all credit numbers on the black market.
Consumers Are at Great Risk
Those reports also should catch the attention of anyone advocating the passage of legislation like the Commercial Privacy Bill of Rights sponsored by Kerry and McCain.
As I mentioned before, having credit card information stolen presents much more potential for harm than having your browsing habits, email address -- or even your current location -- passed on to to an advertiser.
Most credit cards offer users a limited amount of protection from unauthorized charges, but the potential damage from having card data stolen can still be substantial. If for instance, you're in the habit of using a debit card for online transactions rather than a traditional credit card, the risk is huge.
Most banks that issue debit cards with a Visa or Mastercard logo will limit a customer's liability for fraudulent purchases to US$50, but only if the customer notifies the bank within two days of the fraud taking place. The amount rises to $500 if you report between and 60 days. After 60 days, however, you can be stuck with the entire fraudulent bill.
Banks also have been known to ask for police reports or other proof of theft before reimbursing debit-card customers for fraud. Then there's the matter of the money being missing from your account the entire time the bank is investigating the case.
Another issue for both debit and credit card holders is the potential damage fraudulent charges can do to a credit report, which these days is used to screen applicants for everything from car and home loans to jobs and school admissions.
Known Network Vulnerabilities?
With this much at stake for their customers, you'd think companies offering popular services like online gaming would go to great lengths to keep their databases secure. As the Sony episodes indicate, however, that's not necessarily the case.
During Congressional hearings on the matter earlier this week, a computer science professor from Purdue University claimed to have learned of serious vulnerabilities on Sony's network on online forums months before the company's networks were hacked. Visitors to these forums -- many claiming to be Sony employees -- said key parts of the PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed," testified Eugene Spafford, Ph.D.
I have no way of verifying the validity of that statement, but I do know Sony had a difficult time telling users whether it did or did not collect CVC codes -- the three-digit number that typically is the last bit of information used to verify a card's authenticity in online or telephone transactions.
In the blog Sony has been using to update customers on the situation, the company initially said it never collected CVC numbers from people registering on the PlayStation network. A few days later, it lined out that statement; it did in fact collect CVC codes, but it didn't store them in its database.
The Government Needs to Act
After reading comments from Sony Network users on the blog, I understand why Sony might not have felt a great need to hack-proof its databases. While a few of the gamers responding to Sony's blog posts acknowledged some concern about the potential of having their credit card numbers circulating freely in the darker regions of cyberspace, most of them simply wanted to know when the network would be back up so they could resume playing their games.
Even if Sony or its video gaming customers don't take these data breaches seriously, the rest of us must. If a company as large as Sony is allowed to have lax practices for protecting credit-card information, what's to stop other companies from doing the same? That potentially puts all of us at risk. Because let's face it: We all have credit card information sitting on some company's database somewhere.
Maybe this is one area in which the government needs to intervene. Instead of passing Do Not Track legislation, how about some Make Sure Your Customers' Credit Card Numbers Are Not Stolen legislation?