By now almost everyone I know (and millions of people I haven’t had the pleasure of meeting yet) has read or heard about Sony’s announcement last week that its PlayStation network was hacked and that the Personal identifying Information (PII) of potentially 77 million individuals worldwide has been compromised. Then, earlier this week, Sony notified us that there’d been a second breach. This one involved the accounts of 25 million members of Sony Online Entertainment, which hosts the popular online game EverQuest, among other diversions. That means that the PII of more than 100 million Sony customers is now twisting in the wind. And now, a law firm in Canada has filed a class action lawsuit against Sony for more than $1 billion in damages on behalf of nearly one million Canadians.
It is a reasonable assumption that many minors inhabited both of these Sony networks. The stolen PII included names, dates of birth, email addresses, physical addresses, user IDs and passwords and at least some credit card information. Further, children or their parents might unwittingly give up additional information (or expose their computer to malware that would turn their home network into a broadcast vehicle for their financial account numbers and passwords) to a “phisher” pretending to be a legitimate Sony representative following up on the breach. Were they to give up their Social Security number, for example, someone could do quite a bit of damage, especially given children have no reason to check credit information for many years to come. Perhaps the fact that the breach was so large, and involved kids, explains why in a week that saw mile-wide deadly and horrific tornados, a US president publicly releasing his birth certificate, and precious metals prices reaching all-time highs, the PlayStation breach made the front page of the Wall Street Journal.
[Related article: As Breach Worsens, Sony Leaders Say They Knew of Security Problems]
Here’s why: While, the compromise of children’s identities isn’t new, it certainly is a big story when it happens. It has been estimated that more than 400,000 such incidents occur each year and that number has been growing for some very good reasons. First and foremost, however vigilant most adults may be about their own identities, rarely do parents think about monitoring their children’s status. A thief thereby gains something very important—precious time before any discovery of the felony occurs. Secondly, a child is very likely to have a dormant Social Security number, which presents a clear field for account creation and manipulation. Again, should the perpetrator of a phishing attack succeed in obtaining a SSN, the damage he could do setting up new, fraudulent credit accounts could go undetected for years.
Frankly, I’m not surprised that Sony was hacked. Major data breaches, many of which have been the subject of several of these columns, are occurring about once a week these days. Surely one cannot reasonably believe that Sony—or for that matter its competitors, Microsoft and Nintendo—could be immune.
To say that Sony’s response to this breach has been understated is itself a huge understatement. In a press release that the company sent out this past weekend, almost two weeks after the breach happened, they outlined the steps they were taking to deal with their “oops” moment (I am being gentle here), and then tried to make amends in a manner befitting a clueless corporate monolith (ok, forget gentility). They’d like to welcome their users back to the network with the following:
“All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.”
They are also offering some unspecified, free downloads, in addition to some yet-to-be named freebies. Be still my heart! Thirty days of access to Playstation Plus and all you had to do was open the doors of your home, your office and your life to identity thieves. What a great deal! And, in case their customers are actually concerned about the integrity of their identities, Sony was kind enough to provide a few self-help tips on protecting yourself and a short list of government and credit reporting agencies to whom you can turn in the event of a personal compromise.
[Update: After this article was published, Sony announced that it would offer identity theft protection services to PlayStation Network and Qriocity account holders in the United States, and was making similar arrangements for its customers in other countries and territories.]
Image: Fabrizio Sciami, via Flickr.com