Or, "how Sony just made the best case for pre-paid point cards ever."
There's one tiny drop of good news out of the latest update on the PlayStation Network outage and I might as well lead with that. According to a lengthy PlayStation blog post from SCEA's Patrick Seybold, the company "expect to restore some services within a week." He doesn't specify what services, nor does he guarantee the timeline or provide any details beyond "an illegal and unauthorized intrusion," but hey, it's something.
So that was the kind of good news. Now for the insanely bad.
As Seybold lays it out, the hacker — or "unauthorized person" to be specific — managed to obtain pretty much every bit of information you might've given the company, which I'm listing below:
- Address (city, state, zip)
- Email address
- PSN / Qriocity password and login
- PSN online ID / handle
- Purchase history
- Billing address
- Password security answers
If you're the sort that reuses login / password combinations, or uses the same security questions and answers across multiple services, you might want to rewrite history and double check the "forget password" steps for all your accounts. (We might also suggest having multiple answers for mother's maiden name and your first grade teacher.) But it gets worse. According to Seybold, "while there is no evidence at this time that credit card data was taken, we cannot rule out the possibility." It's something we heard yesterday in an IDG News report, but this is the first official posting. Sony is clearly worried about this notion and spends the next half of the article outlining ways you can check your credit report and protect yourself now that the damage is done.
It's the right thing to do for Sony, informing the now-vulnerable PS3 owner, but the handling of everything else downright scares me. How much time has passed since the company knew what information was breached before this PSA was published? As Nilay wrote earlier today, the network has been down since the 20th, almost a week's time. Also, were the passwords obtained through extra trickery, or was there no extra encryption on that information?
If you have a PSN account, chances are most (if not all) the above listed information is at risk. There's not much you can do about it now, aside from a credit report and due diligence on your part to check accounts and change passwords / security questions. I'm sure I'm not alone here in saying Sony has lost my confidence in their ability to protect my personal data, and that's a vulnerability I can't in good conscience take lightly.
There are ways to work around giving Sony your billing information, even if they aren't the most convenient. Physical PSN cards can be found as most retailers — Amazon even goes the extra mile and gives you the redeem code online immediately after purchase. That, of course, requires you to give your personal data to Amazon, but being afraid of all online transactions tends to become a slippery slope of paranoia and worry. At some point, you have to accept that your personal information will be transferred through copper wires and 802.11 bands. I had no reason to doubt Sony would protect my information; now I have no reason to trust they'll be able to in the future.