This report will explore the high profile security breach of Sony’s Playstation Network (PSN) that led to millions of users’ personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sony’s response.
General Principles of Intellectual Property: Concepts of Intellectual Proper...
(Sony) Risk assignment final high profile security breach of Sony’s Playstation Network (PSN)
1. IS510
Risk Management
& Regulation in e-
Commerce:
Focus on Sony
27th April 2012
This report will explore the high profile security breach of Sony’s
Playstation Network (PSN) that led to millions of users’ personal and
financial information being exposed. Focus will be placed on what
occurred in the aftermath, analysing Sony’s response
James Dellinger
Grainne Malone
Jennifer Murphy
Ran Zhang
2. DCU BUSINESS SCHOOL
ASSIGNMENT SUBMISSION
James Dellinger
Grainne Malone
Student Name(s)
Student Number(s): Jennifer Murphy
Ran Zhang
Programme: MECB1 - MSc in Electronic Commerce
Risk Management & Regulation in e-Commerce
Project Title:
Assignment: Focus on Sony
Module code: IS510
Lecturer: Jack Nagle
Project Due Date: 27-APR-2012
Declaration
I the undersigned declare that the project material, which I now
submit, is my own work. Any assistance received by way of
borrowing from the work of others has been cited and
acknowledged within the work. I make this declaration in the
knowledge that a breach of the rules pertaining to project
submission may carry serious consequences.
I am aware that the project will not be accepted unless this form has
been handed in along with the project.
Page | 1
4. TABLE OF CONTENTS
DCU Business School Assignment Submission .............................................................. 1
Introduction ............................................................................................................................ 4
Company Overview ............................................................................................................... 4
PSN Data Collection ........................................................................................................... 4
High Profile Data Breach Incident ..................................................................................... 5
Why it happened ................................................................................................................. 5
Sony‟s Immediate Response .............................................................................................. 6
Policies Introduced as a Result ......................................................................................... 7
Any Recent Scandal ............................................................................................................ 7
Vulnerabilities in Legislation.............................................................................................. 7
Conclusions ............................................................................................................................. 9
References/Literature ............................................................................................................ 9
Page | 3
5. INTRODUCTION
It is anticipated that global e-commerce revenue will hit $963 billion by 2013, with
predicted growth of 19% annually (Rao, L., 2011). This growth will undoubtedly see
more consumers handing over personal financial data. With frequent high profile
online security breaches jeopardising consumer‟s information, the focus must be on
what measures companies are taking to secure this data and what legislation exists
to place obligations on commercial entities to meet acceptable standards of online
security.
This report will explore the high profile security breach of Sony‟s Playstation
Network (PSN) that led to millions of users‟ personal and financial information
being exposed. Focus will be placed on what occurred in the aftermath, analysing
Sony‟s response. An analysis will also be made of the damage if any that was done
to the company‟s‟ corporate reputation, and the measures that have been brought
about to negate any damage done to the brand‟s reputation and avoid such a
scenario arising again.
Finally, there will be a discussion as to the role of legislation in defining Sony‟s legal
responsibility with respect to this incident.
COMPANY OVERVIEW
Sony needs little introduction as one of the world‟s leading digital entertainment
brands, with a large portfolio of multimedia content. A key focus for Sony is its
gaming division, Sony Computer Entertainment, a major video game company
specializing in a variety of areas in the video game industry which is the focus of this
report. The PlayStation Network (PSN) is an online multiplayer gamingdigital media
delivery service, in order to use the service users are required to create an account.
PSN DATA COLLECTION
Sony collects data from its Playstation Network account holders for the purpose of
billing. Data collection is as follows:
Page | 4
6. Name
Address
Country
E-mail address
Date of Birth
PSN password and login name
Apart from this profile data, additional information is compiled internally including
purchase history and billing address, the security question answers to user‟s
accounts.
HIGH PROFILE DATA BREACH INCIDENT
On 19th April 2011 Sony discovered a security breach in its PlayStation Network
(PSN) resulting in a temporary shutdown of service for users. Customers were
unable to download any games or play online. Qriocity, Sony‟s music and video
streaming service was also impacted (O‟Brien, 2011). Hackers had exposed a
weakness in the encryption system, obtaining the public key needed to run any
software on the machines (Stuart,2011). This breach was one of the most significant
ever, with 77 million users put at risk of fraudulent activity via credit cards. The
hackers stole users personal information which if sold on through online black
markets had a potential worth of £100 million (Arthur and Stuart 2011).
WHY IT HAPPENED
The attack on the Sony PlayStation Network was enabled by the lack of a random
number in the algorithm utilised by the security system therein. This ultimately
allowed the secret key used for the protection of digital content on the system to be
discovered. This was a crucial mistake for Sony to make (Markoff, 2012). The
security practices in place in Sony also left much to be desired. The company failed
to protect the networks by using firewalls. Sony was also using Web applications
Page | 5
7. that were obsolete, making the company sites attractive targets for hacking activity.
Outdated versions of the Apache Web server were in use and there were no patches
applied on the PlayStation network. There was no firewall running on the
PlayStation network servers (Rashid, 2011).
Within the Sony organisation, at board level, there were also problems and failings.
There existed organisational complexity and a lack of adequate support for security.
It is not known exactly what security measures Sony had in place prior to the breach.
However, organisational complacency also played a role in the PlayStation Network
attacks. Security entails more than adequate software and encryption; all aspects of
the company require involvement; people, processes and technology. (Boyd and
Thomas, 2011).
SONY‟S IMMEDIATE RESPONSE
The response from Sony to the PlayStation Network attack was far from ideal. It took
until April 26th, a week after the event, for the company to admit that personal
information had in fact been stolen and the possibility that credit card information
had also been taken. It took until day 11 for Sony executives to apologise with the
CEO Howard Stringer still remaining publically silent. The lack of clear
communication, transparency and direction to their customers following the security
breach was extremely poor. On May 6th an apology from Stringer finally came. The
company would offer all their PlayStation network customers free credit for a year
and monitoring for ID theft (Noer 2011).
New security measures were implemented by the company. They consulted with
security experts to put in place security to strengthen the safeguards to stop
unauthorised activity and protect the personal information of their customers. These
new security systems put in place included software monitoring, penetration and
vulnerability testing. Increased encryption and firewalls were also put in place.
Symantec worked with Sony to improve this security and relocate the network to
another data center. The company also recognised the need for improved
management. (Takahashi, 2011).
Page | 6
8. POLICIES INTRODUCED AS A RESULT
A few months after the attack, Sony Computer Entertainment has created a new
position – Chief information security Officer (CISO), and appointed a former
Microsoft executive and the director of the National Cyber Security Center at the US
Department of Homeland Security Phillip Reitinger to this position, responsible for
"security of Sony's information assets and services”. His job is to oversee information
security, privacy and internet safety across the company, coordinating closely with
key headquarters groups and working in partnership with the information security
community to bring the best ideas and approaches to Sony. (Source: Sony Corp. Info)
Sony also introduced a line of sentence in their Terms of Service, asking users to
agree that not to take legal actions against Sony in court. (Source: Section 15, Terms
of Services, Sony Entertainment Network) This was criticised by the public, however
Sony claimed that it was for the benefit of both Sony itself and the customers.
ANY RECENT SCANDAL
Even after Sony has claimed that the level of data protection has increased, it still
remained the target of several security breaches.
1. June 2011: An SQL injection attack by a computer hack group – LulzSec
against Sony Pictures disclosed personal information of over 1 million Sony
customers.
2. June 2011: Just a few days after the SQL injection attack, the same hack group
targeted Sony‟s developer network and posted details of Sony BMG network
maps from a New York City office and 54MB of Sony developer source code.
3. October 2011: Brute-force attack broke into 93,000 PlayStation and Sony
network accounts.
4. January 2012: attacks agains a several websites operated by Sony for the
corporation‟s support of the US Stop Online Piracy Act (SOPA).
VULNERABILITIES IN LEGISLATION
European Regulations
Page | 7
9. In Europe, security breaches of this nature fall under data protection and privacy
regulation which the European Commission leaves to each EU member state unlike
Europe‟s antitrust regulation, which is centralised. In the aftermath of Sony‟s breach,
a number of European countries launched independent investigations The power of
this centralised approach means that and the European Commission has the power
to issue multibillion euro fines to companies found in breach, which it has
successfully done in the past to companies like Microsoft and Intel.
In the United Kingdom, the Information Commissioner‟s Office (ICO), which has the
power to fine Sony up to £500,000 if it finds that individuals were „seriously
affected‟. However, one year on from the breach a decision on whether Sony will be
fined will not be due until early May 2012 according to the ICO website.
In Ireland, the Data Protection commissioner contacted Sony Ireland and requested
the company to prepare a full report disclosing the risk posed to its Irish customers.
The fact that Irish regulation did not require the data protection commissioner to
launch an independent investigation (despite the nature of the high profile breach)
indicates vulnerability in Irish data protection regulation. Sony was never ordered to
pay a fine in Ireland and despite investigations in countries including Spain, France,
Germany and the Czech Republic, no country has yet to issue a fine.
Although, there are European member states that would be unwilling to relinquish
control of their data protection regulations, it must be highlighted that the lack of
centralisation means that serious security breaches involving consumer data are
occurring without any damaging financial penalties being imposed on the company.
With little implications or consequences in place for breaches of this magnitude, it
could be argued that as a result there is also little motivation for companies to invest
heavily in security and policies that would protect their consumer data.
This breach ignited new discussions in Europe regarding the extension of
current data protection laws beyond the telecommunications industry. These laws,
known as the E-Privacy Directive, currently affect the telecommunication industry
and require telecom networks in the EU to make a swift, mandatory disclosure about
Page | 8
10. a data breach. If the proposed extension to the directive is made, Matthew
Newman,a spokesman for the EU Justice Commissioner was quoted as saying „they
will modernize rules dating from 1995, and could expand to e-banking, online
shopping or the personal data field‟
CONCLUSIONS
The Sony case has taught different people many lessons. For our interest in risks
and how they relate to consumer information and data breaches this remains is an
important case to study. The terms of a companies duty to disclose has been more
closely scrunitized by regulators worldwide given the large fraud related concerns.
This was primarily due to Sony‟s poor response to inquiries during the crisis. More
lenient legal contructs (like California‟s) regarding obligations to inform customers
and clients of data breaches have become more noticably in of reform for consumer
and fraud pertection. However, what is actually changes at the American federal
and European intergovermental level are still up in the air.
REFERENCES/LITERATURE
Arthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major data
leak [Online]. Available from:
http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-data-
leak?INTCMP=ILCNETTXT3487 [Accessed April 2012].
Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach[Online].
Available from:http://venturebeat.com/2011/09/22/security-lessons-from-the-
playstation-network-breach/[Accessed April 2012].
Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from:
http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-
encryption-method.html?pagewanted=all [Accessed April 2012].
Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Available
from:
http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4-
838c-4cfd-b915-
Page | 9
11. 9a6091edff44%40sessionmgr14&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#db=bth&A
N=65258326 [Accessed April 2012].
O’Brien, C. 2011. Sony’s PlayStation network hacked [Online]. Available from:
http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April
2012].
Rao, Lenna, 2011 “J.P. Morgan: Global E-Commerce Revenue To Grow By 19 Percent
In 2011 To $680B” TechCrunch[Online]http://techcrunch.com/2011/01/03/j-p-
morgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/
Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony
[Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-
Firewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].
Stuart, K. 2011. PlayStation 3 hack – how it happened and what it means [Online]. Available
from: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hack-
ps3?intcmp=239 [Accessed April 2012].
Takahashi, D. 2011. Will PlayStation Network’s improved security be good enough?
[Online]. Available from:
http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-be-
good-enough/ [Accessed April 2012].
Sony‟s Response to the U.S. House of Representatives, 04 May, 2011, Posted by
Patrick Seybold – Sr. Director, Corporate Communications & Social Media,
PlayStation Blog, URL: http://blog.us.playstation.com/2011/05/04/sonys-
response-to-the-u-s-house-of-representatives/
Philip R. Reitinger is Named Senior Vice President and Chief Inofmation Security
Officer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL:
http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.html
Terms of Service, Sony Entertainment Network, URL:
www.sonyentertainmentnetwork.com/terms-of-service/
Page | 10