Sony’s Failure to Report Data Breach Incurs CT Senator Blumenthal’s Wrath

[Commander Fury]

 

Connecticut Senator Richard Blumenthal is “demanding answers” about why Sony Computer Entertainment of America failed to inform customers of the data breach of the PlayStation Network on April 20.

 

“When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised,” Blumenthal said in a release. “Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach.”

 

Of course, Sony just issued a statement that it says will be emailed to “all of our registered account holders” but, as we noted in our post, it’s been nearly six days since the “intrusion” first took place. Blumenthal elaborated, “Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised.”

 

Sen. Blumenthal also sent a letter to SCEA President and CEO Jack Tretton, you can see it below:

 

 

 

April 26, 2011

 

Mr. Jack Tretton

President and CEO

Sony Computer Entertainment America

919 East Hillsdale Boulevard

Foster City, CA USA 94404

 

Dear Mr. Tretton:

 

I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.

 

It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers – many of them children – access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.

 

When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

 

I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.

 

PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.

 

Sincerely,

 

/s/

 

Richard Blumenthal

United States Senate

 

Score: 0 (0 votes cast)

 

Urgent Fury Command:

 

 

 

 

More...

[Nemesis]

Go get em' Dick!!

[Red0ctobeR]

THough it is thoughtful, when has he given a rats ass about people playing video games? This isn't an election cycle. LMAO

[shane]

This is a perfect response for the matters posted by Podcast Host rothbart...

 

I need to ignore Twitter right now... there are tons of people (and site feeds) spewing ignorance galore...

 

I work at a company that deals with data security... we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.

 

By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn't put protocol aside to keep selling PSN content. They didn't put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn't try to hide that this happened. They didn't try to analyze it themselves but instead brought in experts.

 

The people and sites that are faulting Sony on how they've handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of... "ignorant" as to what they're talking about.

 

If you think Sony should've battened down the hatched and never gotten hacked... talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn't have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information...

 

That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained." How can they be faulted for that? Would you rather them lie and say "you're safe" or "they were compromised"?

 

This was a text book reaction to a large scale data breach and unlike MOST companies where we'd simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don't spill details during an investigation and these things take time. Hell, try checking out your computer after you've had a trojan installed and activated... now amplify that work by about a bajillion. Going through that stuff takes time.

[Pillorian]

http://blog.us.playstation.com/2011/04/26/clarifying-a-few-psn-points/

 

I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.

 

There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.

 

For those who were looking there’s also an FAQ with some more frequently asked questions

 

Thank you for your continued patience and support.

 

Very interesting.

[iDnTyX]

In Refference to http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

I didnt see our clan member post here on the site yet but I think its improtant for eveyone to know. It may not have any relation to this but I'll post what she said just as a precaution for everyone.

SeNoRiTaSaSSy;37805];(Ok it is confirmed... we (the police department) are taking numerous reports of fraud from banking accounts being used all across the U.S. Every single person who has been a victim thus far uses an online account (with debit card info) on either the PS3 or XboX. So far all have been from one bank that is just a local bank and not a branch but I would highly suggest contacting your bank and double checking with them as well as changing your passwords to everything!

Edited April 27, 2011 by iDnTyX