Sony has posted a Q&A #1 for PlayStation Network and Qriocity Services, responding to some of the concerns raised about their recent breach.
Of note, they say that all of the credit card data were encrypted, although they acknowledge that the personal data table was not encrypted.
More will come out in time, of course. What strikes me is what seems like an over-reaction to this breach. I mean, come on, folks, this is not the first hack or compromise ever that may have involved credit card data. And this is not the first breach where people have been warned to watch out for scams or phishing attempts. Yes, it’s a large breach given the sheer volume of people affected, but I’m somewhat surprised at the people complaining that Sony is not in a position to answer all questions within a few days or who accuse them of disclosing “late.”
It seems like only a year ago that if an entity disclosed a breach in less than two months that we considered it “quick.” The public’s expectation has seemingly shifted to expecting immediate disclosure and notification, but without regard for the fact that sometimes it takes a while to figure out what happened, how it happened, and what data were accessed or acquired. And of course, there’s all the usual politicking and posturing from legislators and privacy commissioners who want answers. It’s understandable that they want answers, and we want data protectors to look out for our data, but what is the point of so many investigations? I fully expect Sony will answer all of the questions when it can. For now, let them focus on figuring what went wrong and what they need to do to prevent a recurrence. Aren’t those the priorities?
Users do not need to wait for answers from Sony to protect themselves. In my days as a medic, our motto was “treat for the worst and hope for the best.” Consumers who are unsure what has happened are best advised to assume the worst and act accordingly. Canceling or keeping an eye on your credit card is a nuisance, yes, but in the grand scheme of things, is it really that awful? And aren’t you already sophisticated enough not to click on links in emails or fall for phishing attempts?
If you think this breach is particularly egregious or that Sony has been negligent in security or outrageous in their handling of the breach compared to other breaches, tell me why. Otherwise, maybe everyone should just breathe out slowly and give the firm a chance to figure this out.
Update: Okay, I seem to be in the minority on this one, as one reader points out why he finds this breach particularly concerning, and other sources call into question whether Sony is being accurate – or honest – in claiming that credit card data was encrypted. Stay tuned….
People are all worried about their credit card data, but that’s a red herring. You’re not legally liable for fraud on your credit card over $50 as long as you notify the credit card company in a reasonable amount of time. And from personal experience, I know that the credit card companies won’t even hold you for the $50 because they want to keep you as a customer.
What I am worried about is my home/billing address, birth date, “security question/answer”, username and password being stolen. Now it’s much easier to impersonate me online and anywhere that information might be used to identify me. Now it’s not just credit card fraud I have to worry about, but a bunch of other kinds of fraud for which there is no strong consumer protections for. This is why Sony recommended everyone get their credit reports and place a hold on getting any new loans, etc- because they know that is where the real risk is for the consumers who’s privacy they failed to take even the most basic steps to secure.