April 2011

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person.  What was the haul?  According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That’s right, 77 million people.  This is one of the largest Internet data losses in history.  We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don’t fret too much, the data was encrypted and we did not lose the decryption key."  Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking.  We have seen companies with best practices still suffer at the hands of hackers or rogue employees.  Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected.  The disclosure of the data breach to customers directly was on April 26th.  The data breach apparently occurred between April 17 and April 19.  It has been reported that Sony discovered the breach on April 20th.  There was a gap of six days between discovery and disclosure.  Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement.  To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose.  However, Sony did not explain that law enforcement cooperation was the reason for the delay.  It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in. 

If you or your children are on one of these services, you need to pay particular attention to this story as it develops.  You (the keyword being "you") need to monitor your bank accounts and credit cards – frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now).  For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games – almost nothing went wrong in that movie).  In any event, your children that go to business school will enjoy reading the future case study on this one.