It's official: Sony suffers massive data breach
Sony has put out a statement about what happened. I would like to put this in context... Epsilon lost what, 40 million email addresses? The whole nation heard about that, either on TV, radio, Internet or via an email from the myriad of companies who sent out "notifications".
Sony may have lost 75 million people's information. There are a little over 300 million documented people in the United States. That means that 25% of the population of the United States had information on Sony's network? And now who has it?
Sony has been calling this an "outage", as if it were an electric company after a big storm. Excuse me, the fact that your video game operations are offline is not the problem here, it's the fact that 25% of the United States citizens now are worried about identity theft, or should be.
Let's get to the specifics: Sony has said the following:
"...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained... WHILE THERE IS NO EVIDENCE AT THIS TIME THAT CREDIT CARD DATA WAS TAKEN, WE CANNOT RULE OUT THE POSSIBILITY. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
From the statement posted by Patrick Seybold, Sr. Director, Corporate Communications & Social Media.
I have been reading words written by lawyers for fifteen years and pride myself on being able to tell when they are riding the razor's edge. I don't know if Mr. Seybold wrote it, I doubt it, nor do I know if a lawyer wrote it, but I am sure that Sony's legal counsel had a look at this statement before it went out.
Note that they are fairly certain that a bunch of your information was "stolen", but they're not quite sure that the credit card info was taken. A very convenient conclusion. Losing the credit card number would certainly make matters worse, but those could be changed... your name, address, etc cannot be changed.
Everyone stays focused on the credit card number... oh dear, they have my credit card number.. oh dear... LOOKIT, (as my grandmother used to say) with one simple phone call that "credit card" is a piece of plastic, nothing more. Of course, in order to make that happen, you'd have to know that it was missing... and Sony seemed to have waited at least a week to finally tell us that "hey, maybe, well, possibly, ahhh, out of an abundance of caution, let's assume its missing."
I find it hard to believe that they can't figure this out. This isn't some small restaurant group in Boston who was tech-ignorant... this is freakin' SONY. I know, they want to be sure before they go public. Not just "sure" but what I would call "no-other-choice sure." (as in, we have no other choice fellas, we have to tell mom we broke the lamp playing ball in the house)
I took a hard look at the Massachusetts Law, MGL 93H, and it's definition of "personal information". Name and driver's license number; name and social security number; name and:
"...financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account" MGL c.93H s.1(a)(iii)(c)
If Sony lost the credit card number, and the person is from Massachusetts, bingo - our law applies. If not, well, it's not clear. Could the rest of the information that Sony lost allow access to someone's financial account? Can't tell.
But let's revisit Sony's statement: recall they said that they can't say for sure if the credit card number was lost. (no evidence, but can't rule out the possibility - remember?)
MGL c.93H s.3(b)(1)(2) says: "...(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired..."
There we have it ladies and gents, the razor's edge. They're willing to say to the public that "out of an abundance of caution, presume your card's been compromised." But they don't affirmatively say that they "know" the card info has been compromised. Can you see why?
There are 46 different state laws regarding data breaches. I hereby offer my hourly services to Sony Corporation in assisting them comply with them, in the event they have to...
And as I like to do in situations like this, figure out who did it, I think that the perps here are cybercriminals. This one's in their wheelhouse and now 25% of American citizens' personal information is in Eastern Europe being analyzing for future use.