Sony Sued For PlayStation Network Data Breach 404
suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"
Here's to sinking Sony's battleship (Score:5, Informative)
Re:Class Action (Score:1, Informative)
See AT&T MOBILITY LLC v. CONCEPCION, Slip Opinion No. 09–893 (PDF) [supremecourt.gov]
Re:not taking reasonable care (Score:5, Informative)
I'm not sure I buy that first part, given that no online service is ever going to be 100% secure.
Reasonable care would imply robustly isolating transaction processing systems and user accessible systems from systems that store primary account numbers such as credit card/bank account numbers from online/public access systems such as the internet, or the playstation network.
Reasonable care would include complying with PCI requirements, relating to auditing, security practices, separation of computer systems by role, and enforcing strong unique access credentials for users and systems.
So that a compromise of the publicly accessible network cannot lead to compromise of the account numbers.
This is highly doable. The only commands/services the PSN/publicly accessible servers need from account servers is a command to "add a new account number" to the database linked to a certain customer, a command to "erase an account number", a command to list privacy-filtered summary to display a 'delete' user interface, and a command "authorize/charge a transaction to account number" (without revealing what the number actually is to the transaction processing server).
Re:He got notified? (Score:4, Informative)
It *needs* to happen. And happen big. Maybe after Sony files for bankruptcy, investors in other companies will start asking the CIO to ensure security at any cost.
Re:Class Action (Score:5, Informative)
Wow, I don't think you actually read that document. That opinion had absolutely nothing to do with Products or Services, and it doesn't disable class status for lawsuits. It states that an arbitration agreement that disallows class arbitration is allowable. Basically, if you sign away your right to arbitration by class action, that is valid, and you can't later invoke class-wide arbitration.
Lots of misinformation around here sometimes.
Re:Check your EULA... you probably can't sue (Score:2, Informative)
Um, you completely don't understand this. Arbitration is a long-standing method of settling a dispute between parties. It is extremely common in Professional Services engagement agreements, and it is also very common in other service agreements. I'm quite sure almost every agreement you sign for internet, phone, electricity, cable TV, etc also includes arbitration language.
Arbitration is a good thing. It allows small matters to be handled quickly, less expensively, and without mucking up our already congested court system. If you read the opinion, the court indicate that AT&T's arbitration agreement is specifically written to encourage the company to act in good faith. If a customer receives an arbitration award greater than the last written settlement offer, the customer gets $7,500 + twice any lawyer's fees. Clearly, AT&T has incentive to provide a good settlement. In this case, AT&T would have offered the plaintiffs $30.22, which is what the plaintiffs were (perhaps) wrongly charged in sales tax. Any decent arbitrator would have given the plaintiffs $30.22, which is what they were their real loss. Trust me, arbitration agreements are a good thing. Our court system would be practically non-functional without them.
Re:Check your EULA... you probably can't sue (Score:3, Informative)
Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice.
Not true, actually. They ruled [npr.org] that customers that have signed a contract with a clause to that effect are bound to it. AFAIK, there is no settled case law saying that a shrinkwrap EULA is equivalent to a valid, signed contract.
Re:He got notified? (Score:3, Informative)
Thats the risk the investors took. Don't like? Invest in more reputable companies.
Re:Check your EULA... you probably can't sue (Score:5, Informative)
Re:Check your EULA... you probably can't sue (Score:2, Informative)
If by "go to the business" you mean the customer was charged $30.22 extra, and the business offered $30.22 credit, and the customer wanted arbitration, and the arbitrator decided on $30.22, then yes, I stand by his statement.
Transaction servers should be write-only (Score:2, Informative)
Re:He got notified? (Score:5, Informative)
Not the AC, but here was my email
Valued PlayStation(R)Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.
Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.
For your security, we encourage you to be especially aware of email,
telephone and postal mail scams that ask for personal or sensitive
information. Sony will not contact you in any way, including by email,
asking for your credit card number, social security number or other
personally identifiable information. If you are asked for this information,
you can be confident Sony is not the entity asking. When the PlayStation
Network and Qriocity services are fully restored, we strongly recommend that
you log on and change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.
To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and
to monitor your credit reports. We are providing the following information
for those who wish to consider it:
- U.S. residents are entitled under U.S. law to one free credit report annually
from each of the three major credit bureaus. To order your free credit report,
visit www.annualcreditreport.com or call toll-free (877) 322-8228.
- We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit bureaus
place a "fraud alert" on your file that alerts creditors to take additional steps
to verify your identity prior to granting credit in your name. This service can
make it more difficult for someone to get credit in your name. Note, however,
that because it tells creditors to follow certain procedures to protect you,
it also may delay your ability to obtain credit while the agency verifies your
identity. As soon as one credit bureau confirms your fraud alert, the others
are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report,
please contact any one of the agencies listed below:
Ex