Sony has posted information about the “illegal intrusion on our systems” that has caused the PlayStation Network (PSN) to be closed temporarily. PSN is necessary for playing online games and downloading music and videos.
Sony has disclosed that:
Between April 17 and April 19 2011 an attacker gained access to “user account information”
The information includes:
name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
The information might include:
While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained
The remainder of the information is mainly generic advice on fraud prevention. Many comments to the blog post make the reasonable point: why were they not informed earlier?
How many users are on PSN? The number 75 million is widely reported. In January Sony claimed over 69 million PSN members.
It is easy to say that Sony should have operated a more secure system. Making a judgment on that is hard because there is a lot we do not know. Was this information encrypted? Sony says passwords were stolen, which may mean they were unencrypted though that is hard to believe; or that they were encrypted but likely to be easily decrypted, which is perhaps more likely. On the other hand the fact that encryption is not mentioned in the post tends to suggest that none of this information was encrypted.
The scale of the incident makes it remarkable but the fact of network intrusions and personal data being stolen is not surprising, and likely much more of this happens than is reported.
The state of internet security overall remains poor and what we see constantly is that security best practices are ignored. Convenience and the desire of marketers to grab as much personal data as possible constantly trumps security.
Here is Kim Cameron, Microsoft’s identity architect, writing in 2005:
We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.
The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.
Cameron’s thoughtful and excellent “laws of identity” lack take-up within Microsoft as well as elsewhere; the CardSpace system that was built to support it was scrapped.
An example of the low priority of security around the web is the prevalence of “password security answers” as Sony describes them. This is additional information that allow you to recover an account if the password is forgotten, especially if the email address associated with the account is no longer in use. Contrary to the impression given by the forms that require the information, these questions and answers reduce your security in order to ease the burden on support. They break Cameron’s laws of identity by providing the third party with information that it does not need, such as mother’s maiden name, though of course you can provide fictional answers and in fact I recommend this.
Personally I am also one of those people who never tick the “save credit card details” box. I am happy to enter them every time, rather than hand them over to a system of unknown security. Some sites do not let you make purchases without saving credit card details; as I recall, Amazon is one of them, and Apple another. This means the consequences of security breaches at these companies are greater, though I imagine they also make more sales since the friction of the purchasing process is reduced.
I am not optimistic that internet security will improve in the near future, though I guess that major breaches like this one are a force for reform.
Update: In a new post Sony says that credit card data was encrypted but personal data was not. I am surprised if this included passwords; but the IT world is full of surprises.