Thursday, April 28, 2011

Playstation Network data breach is a bloody mess - how to protect yourself, from the perspective of a former fraud analyst

So, I'm one of the minority among my group of friends that has and plays a PS3. Let me preface this rancor with the fact that, generally speaking, I love my console - I find it to be a much better media relay than my XBox 360 (when the wifi isn't tweaking like a speed junkie), and the graphics are generally prettier. However, the folks who run the infrastructure behind the ill-fated and currently offline Playstation Network are a bunch of mouth breathing idiots.


The PSN had been down since April 17th, with little to no information as to why. Rumors were abound as to the cause, and given the attacks by hacker activist group Anonymous the week before over Sony's treatment of Geohot (the guy who hacked the PS3 firmware), a lot of us figured it was an extended DDoS attack. Of course, the rumors of the involvement of a major hack and data breach started within a couple days, with Sony finally getting off their collective asses and admitting to an "external intrusion" as of April 22.


What kills though, much like the official Japanese reaction to the Fukushima disaster, was the lack of an admission of a problem from Sony. Sony didn't wind up warning their customers that there was a MASSIVE intrusion, and that MILLIONS of customers' personal information was compromised until April 26th, A FULL 10 DAYS after the incident happened!!! Especially with the speed that fraudsters can use your info (I have lots of personal experience - I used to investigate ID theft for T-Mobile), a delay like this is completely unconscionable!


Sony has now admitted via e-mail that "Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."


This is a scary amount of information in the hands of the wrong people, fraudsters who can do a frightening amount with very little personal information, and can use what little they have to get more. Don't be lulled into a false sense of security because credit cards "may or may not have been compromised". A tremendous amount of damage can be done without a credit card number.


What's frightening beyond this, is that Sony STILL doesn't know the extent of the breach, or if they do, they're playing those cards awfully close to the chest. When it comes to the level of comprised personal information that we see here, delaying the vital information to the victims is utterly unforgivable.


I, for one, have lost a great deal of faith in Sony, and am greatly considering whether or not I want to cull my PS3 from the herd, as it were. Ironically, I paid for my first subscription to Playstation Plus (Sony's equivalent to XBL Gold) on the day the network went down, and of course, there's no word in regards to compensation for the lost time on our subscriptions. At the very least, Sony needs to step up to the plate and provide credit monitoring for the people affected by their lack of security.


Now, if you're caught up in this debacle, try not to panic. It's going to be really important to take some simple steps to help get this under control. First, call your bank and advise them of the data breach. You'll want to ask them if there's been any suspicious activity on your account, and may want to go as far as getting a replacement debit/credit card, preferably with a new number. If, for whatever goofy ass reason, you chose to have the same password for your PSN account as the e-mail account you log in with, you're going to want to change that ASAP, along with any other important sites that use the same login/password combo. Next, you're going to want to check your credit report with ALL THREE credit bureaus for any suspicious activity, possibly even going as far as to request a fraud alert be placed in your file. There are 2 different types of fraud alert, an initial alert lasting 90 days, and an extended alert which lasts 7 years. If you file a fraud alert, be aware that it will make it more difficult for you to obtain credit, as the bureaus will require additional info to verify your identity before they will extend credit.You can request 1 free credit report per year per federal law at www.annualcreditreport.com, which is the official place to go, unlike what those annoying commercials will tell you. I cannot stress enough that you need to make sure to talk to all three bureaus as they all file and report activity differently and separately from each other, and credit checks can be run through any of them independently. I've included the contact information below for anyone who might need it.


Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013 
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790


Hopefully, this will all get taken care of sooner than later on Sony's end, but in the meantime, I sure hope this helps.


*Edited 4/03/11.

No comments:

Post a Comment