300,000 Kiwis' details may have been exposed

10:48, May 02 2011

The Privacy Commissioner is watching Sony closely after the hacking of its PlayStation Network placed personal information, which could include credit card details, of potentially more than 300,000 New Zealanders at risk.

Over the weekend, Sony executives bowed in apology for the security breach in the company's PlayStation Network, promising to improve security, compensate users and get the service back online within a month.

It has revealed 77 million accounts were exposed to the attack on the network - an online service that lets PlayStation 3 and PlayStation Portable owners play multiplayer games online and purchase content such as games and music.

It said personal information such as names, addresses, email addresses and login passwords had been stolen, but could not say whether credit card data  which it had encrypted  had been accesssed.

More than 140,000 PlayStation 3s and 185,000 PlayStation Portables had been sold in New Zealand as of February, meaning as many as 325,000 New Zealanders could be vulnerable.

Privacy Commissioner Marie Shroff said: "We are watching this issue and Sony's response closely."


Privacy authorities in Australia, the United States and Japan are investigating the breach and her office was "keeping in active touch with them as their inquiries progress".

"Some of those international inquiries relate to criminal activity, in addition to the public harm from large personal data breaches."

Ms Shroff said New Zealand is a member of the new Global Privacy Enforcement Network (GPEN), which is designed to facilitate cross-border cooperation in the enforcement of privacy laws. "This incident may be one where international cooperation and coordination is useful."

Police have advised that people concerned about their credit cards should contact their banks to let them know their cards may have been compromised.

Internal Affairs has warned  people to be on the alert for scammers using personal data obtained in the hacking attack, and advised them to review their online security including passwords and password questions and answers.

Sony Australia said more than 1.5 million Australian user accounts including potentially 280,000 credit card numbers were in the hands of hackers. However it said the 1.5 million number overstated the number of individual users as some would have sub-accounts or multiple accounts.

Asked to comment on reports from security experts that the stolen personal data was being offered up for sale in underground forums late last week, Sony Australia said "to our knowledge there is no truth to the reports that lists have been offered for sale".

However, despite these assurances more reports have surfaced over the weekend from PlayStation users claiming their details were stolen and fraudulent charges placed on their accounts. These charges have included a flight booked in Germany and purchases in Japanese grocery stores.

Sony shut down its PlayStation Network on April 20 when it learned of the security breach. But it wasn't until a week after the initial hack that Sony revealed personal details had been stolen, which the company says is because it didn't discover the theft until later in its investigations. It still can't say for sure whether credit card data was stolen.

"We deeply apologise for the inconvenience we have caused," said Kazuo Hirai, chief of Sony Corp.'s PlayStation video game unit, who was among the three executives who bowed for several seconds at the company's Tokyo headquarters in the traditional style of a Japanese apology.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry."

Hirai said parts of the service would be back this week and that the company would beef up security measures. But he and other executives acknowledged that not enough had been done in security precautions, and promised that the company's network services were under a basic review to prevent a recurrence.

Hirai said the FBI and other authorities had been contacted to start an investigation into what the company called "a criminal cyber attack" on Sony's data centre in San Diego, California.

Sony said that it will soon issue a security software update for PlayStation 3 users that will require all users to change their PlayStation Network and Qriocity account passwords.

Sony has added software monitoring and enhanced data protection and encryption as new security measures, he said. The company said it would offer "welcome back" freebies such as complimentary downloads and 30 days of free service around the world to show remorse and appreciation.

"I see my work as first making sure Sony can regain the trust from our users," Hirai said.

David Vaile, executive director of UNSW's Cyberspace Law and Policy Centre, said Sony's encryption of credit card data was of little use as "the hackers may have got into the central system, not just the encrypted data files". He also questioned the effectiveness of encryption systems against sustained attacks from skilled people with "time, computing power and a motive".

"This is a chilling example of the danger of personal data 'honeypots', a single point of failure that provides networked access to the data of thousands or millions of people and thus proves an irresistible lure to hackers, crackers and cybercriminals from around the world," he said.

"As systems get both more complex and more networked, we will continue to see the exploits of hackers continually a bit ahead of attempts to patch and secure systems perfectly, largely because the protectors have to be 100% perfect in their defence, while the attackers only need to find one tiny chink to get through."

The breach is a blow for Sony as it focuses on pushing its content such as games and music through hardware platforms such as game consoles, smartphones and tablet computers amid competition from Apple's iTunes and App store.

The Playstation Network system was launched in 2006 allowing gamers to compete online, stream movies and access other services via the Internet.

US lawmakers have sent a letter to Hirai demanding answers by May 6 about the security breach and Sony's response.

Hirai said he had read the online version of the letter and would answer the questions as soon as possible.

Last month, US lawyers filed a lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data and failure to inform players in a timely fashion that their credit card information may have been stolen. The lawsuit seeks class-action status.

Hirai said the network problems would not hurt or delay Sony's product plans, including a tablet device that looks like Apple's iPad, an upgrade to the PlayStation Portable and a gradual global rollout of the Qriocity service.

Hirai said there was no evidence that the online miscreants group Anonymous was behind the attacks, despite threats from Anonymous to Sony over the company's legal pursuit of PlayStation 3 hacker George Hotz.

"While there may be no relation to this attack, the Sony network has also been targeted by the internet group Anonymous," said Hirai.

"In addition, the personal information on Sony's top management, including the names of their children, the schools they attend, and the names of other family members, has been published on the internet. They have also called for protests outside Sony stores around the world."

-with wires

The Dominion Post