×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony Sued For PlayStation Network Data Breach

samzenpus posted more than 2 years ago | from the lick-em-while-their-down dept.

Networking 404

suraj.sun writes "Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed. The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the US District Court for the Northern District of California. Johns accuses Sony of not taking 'reasonable care to protect, encrypt, and secure the private and sensitive data of its users.' He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

404 comments

First of all... (1)

Anonymous Coward | more than 2 years ago | (#35958684)

That'll teach them.

So it begins... (2, Funny)

Anonymous Coward | more than 2 years ago | (#35958686)

the great battle of our time...

not taking reasonable care (1)

Anonymous Coward | more than 2 years ago | (#35958690)

I'm not sure I buy that first part, given that no online service is ever going to be 100% secure. I understand that one should take prudent steps toward making a "best effort" in that regard, but at the end of the day, if some well-funded crime kingpin wants in, there probably isn't much you'd be able to do about it. It's the second one that has my blood boiling in sympathy, partly because this is practically Sony's trademark: if something goes wrong with their products, don't go public with it, don't acknowledge it, don't even think about it, and maybe it will go away!

Re:not taking reasonable care (3, Insightful)

Labcoat Samurai (1517479) | more than 2 years ago | (#35958700)

Maybe this lawsuit will require them to come forward with the steps they *did* take. Up until now, it's largely been speculation. If they locked the door but left open a window, I want to know. And I want to know how open that window was left.

Re:not taking reasonable care (1)

mysidia (191772) | more than 2 years ago | (#35958784)

If they locked the door but left open a window, I want to know. And I want to know how open that window was left.

Sometimes leaving the window ajar is a good idea, if you don't want the thief to smash the window on the way in.

Re:not taking reasonable care (1)

Anonymous Coward | more than 2 years ago | (#35958838)

Sometimes leaving the window ajar is a good idea, if you don't want the thief to smash the window on the way in.

Nominated for this week's dumbest comment. A closed window is a deterrent. An open window is an invitation.

Re:not taking reasonable care (1)

JDAustin (468180) | more than 2 years ago | (#35959006)

When I had a convertable, I used to leave it unlocked. This way if they were going to break in, at least I wouldnt need to buy a new top.

Re:not taking reasonable care (1)

Anonymous Coward | more than 2 years ago | (#35959032)

Smart man. I leave my car unlocked too so the crack-heads can just take the $1.27 from my ashtray and save me the trouble of buying a new car window every time I park out on the street.

Re:not taking reasonable care (1)

Anonymous Coward | more than 2 years ago | (#35959058)

Whenever I open Windows I get hacked too. :/

Re:not taking reasonable care (5, Funny)

DeadboltX (751907) | more than 2 years ago | (#35959110)

When I ran a server that contained sensitive customer data, I left the database open and without a password. That way if someone was going to hack me, I didn't have to buy a new password. Analogy fail.

Re:not taking reasonable care (0)

Anonymous Coward | more than 2 years ago | (#35959260)

Nominated for this week's dumbest comment. A closed window is a deterrent. An open window is an invitation.

Congratulations. I second that nomination for your comment.

An open window is an invitation? No it fucking isn't. I open mine for fresh air - granted while I'm IN the building - so I'm "inviting people in" by your logic?

I sense I have may have descended to the depths of feeding a troll but sadly, there really do seem to be people on this earth who think like you, just as there are people who will say "Oh, the idiot left a window open? Well, he deserves it!". Meanwhile, most reasonable people would accept the fact that if they leave a window open and get robbed, it's their own fault because most reasonable people also understand that there are morons like you in the world. On the other hand and thankfully, most reasonable people also understand that an open window ISN'T an invitation.

I suppose my point is, when did society deteriorate to the point where NOT watching your privacy and posessions like a hawk was "unreasonable", and those taking liberties were the ones acting reasonably?! It can't be that long ago when common fucking sense of knowing and being taught right from wrong went out the window...

Re:not taking reasonable care (1, Interesting)

Darkness404 (1287218) | more than 2 years ago | (#35958746)

The problem is that it is never a "well funded crime kingpin" and most often a 15-30 year old or an (ex) employee that noticed some gaping, obvious security flaw. Data breaches like this are rarely the work of huge "cyber gangs" and mostly the work of individuals who noticed some huge flaw that Sony had. The crime kingpins wouldn't bother with something like this because it is a whole lot easier to sell botnets with 3nl@rg3 y0ur p3n15 spam.

Re:not taking reasonable care (3, Insightful)

Anonymous Coward | more than 2 years ago | (#35958774)

Thank you Mr. Armchair Expert!

Re:not taking reasonable care (2)

TheEyes (1686556) | more than 2 years ago | (#35959038)

The problem is that it is never a "well funded crime kingpin" and most often a 15-30 year old or an (ex) employee that noticed some gaping, obvious security flaw. Data breaches like this are rarely the work of huge "cyber gangs" and mostly the work of individuals who noticed some huge flaw that Sony had. The crime kingpins wouldn't bother with something like this because it is a whole lot easier to sell botnets with 3nl@rg3 y0ur p3n15 spam.

Twenty years ago you may have been right, but these days botnets are a multi-million dollar operation, underground black markets sell botnet time just like Amazon sells computer cycles, and cyber-gangs sell credit card numbers for a few dollars a pop. Cracking isn't the sole province of bored kids typing away from their parents' basement anymore; it's an industry, staffed by professionals.

Re:not taking reasonable care (5, Informative)

mysidia (191772) | more than 2 years ago | (#35958766)

I'm not sure I buy that first part, given that no online service is ever going to be 100% secure.

Reasonable care would imply robustly isolating transaction processing systems and user accessible systems from systems that store primary account numbers such as credit card/bank account numbers from online/public access systems such as the internet, or the playstation network.

Reasonable care would include complying with PCI requirements, relating to auditing, security practices, separation of computer systems by role, and enforcing strong unique access credentials for users and systems.

So that a compromise of the publicly accessible network cannot lead to compromise of the account numbers.

This is highly doable. The only commands/services the PSN/publicly accessible servers need from account servers is a command to "add a new account number" to the database linked to a certain customer, a command to "erase an account number", a command to list privacy-filtered summary to display a 'delete' user interface, and a command "authorize/charge a transaction to account number" (without revealing what the number actually is to the transaction processing server).

Re:not taking reasonable care (1)

oztiks (921504) | more than 2 years ago | (#35958920)

Yes and no. Being an Xbox Live player (hate to say this cause its MS we are talking about) but you can enjoy gaming without the posibility for account Hijacking. The only real problems Live has is people boosting the game.

PS on the otherhad, first off its a free service, 2nd it's continually having Script kiddes hack the game steal accounts. In fact I don't think I have ever met a single PS player that hasnt had their game hacked, messed with, or account stolen.

It seem's lose in the article (because there isn't anything definative suggesting it was done on purpose) but there is definatly plenty of malious activity taking place on PS network. This was bound to eventually happen.

Re:not taking reasonable care (1)

JMJimmy (2036122) | more than 2 years ago | (#35959096)

What's the problem with boosters? They usually stick to themselves and avoid randoms as much as possible...

Anyway, I hope one of these lawsuits hits Sony hard.

Re:not taking reasonable care (1)

oztiks (921504) | more than 2 years ago | (#35959196)

Aside from the ethics behind boosting, nothing really. I agree with you on that Sony needs to be pulled into line regarding this. I know so many clueless 15 year olds that habitually steal PS accounts.

PCI isn't even going to come into play here which is quite astonishing. The upset consumer going for the cash grab wont be the issue. It will be Mastercard and Visa.

Re:not taking reasonable care (0)

Anonymous Coward | more than 2 years ago | (#35959258)

Wait what?

I haven't, not including this monumental fail of a hack thanks to Sony, had my PSN account hacked. Secondly, what do you mean XBox can't get hijacked - are you saying it's IMPOSSIBLE? Sounds like a challenge to me.

Just because something hasn't been hacked yet, doesn't mean it's unhackable. Just ask Sony and their unhackable PS3... or Microsoft and the original XBox.

Re:not taking reasonable care (1)

errandum (2014454) | more than 2 years ago | (#35959222)

100%, no, but RSA with a long key is virtually uncrackable by today's standards.

I had a school project that deal with credit cards and the first thing we did was investigate encryption. AES, triple DES, RSA, even DES, anything is better than PLAIN TEXT.

They sat on it for a week... (1)

Anonymous Coward | more than 2 years ago | (#35958698)

So, they sat on it for a week...

And in the process, they are claiming that they do not have any reason to believe that Credit Card Information was actually accessed.

It seems as though the core concept of this case hinges on whether or not Credit Card numbers were actually accessed, which is something that Sony will definitely be going out of their way to hide, as it is grounds to show that all claims are ultimately invalid within this case.

In any case, there would need to be disclosed proof stating that not only Credit Card numbers *were* accessed, but that Sony *intentionally* went out of their way to hide this fact from their customers.

Seems flimsy at best.

Re:They sat on it for a week... (5, Insightful)

Darkness404 (1287218) | more than 2 years ago | (#35958808)

And sitting on something like this for a week -is- a problem. When you have possibly exposed the equivalent of 25% of the US population to credit card fraud, the world needs to know. This isn't some "oh whoops, one of our laptops is missing" instead this is a data breach affecting 77 million people. And to say -nothing- is completely irresponsible. A week is a pretty long time to not say -anything- and to just hope that it will go away.

Even someone who has your personal information for a few hours can cause havoc in your life, let alone for an entire week.

Re:They sat on it for a week... (0)

Anonymous Coward | more than 2 years ago | (#35958894)

The week was most likely for forensics. Once you've worked out somebody's in, there's not exactly the equivalent of a trail of breadcrumbs to tell where they've been. I don't envy their management, they get to work out which is worst:
a) the hackers don't know they got somewhere sensitive, and you tell the world 'possibly' these details went missing, then when it's all back up the hackers try harder because they know where to look
b) leave everybody hanging and worrying, but know for sure, be able to make a full announcement and deploy countermeasures.

I think they did the right thing in shutting off all access, but not giving a 'we are investigating the extent of....' was not so great. Ah well, just hope there isn't a next time.
 

Re:They sat on it for a week... (0)

Anonymous Coward | more than 2 years ago | (#35959128)

Also, we've no idea how long the network itself was compromised; if the Rebug rumors are true, then the network was compromised for at least one week prior to being shutdown.

A week is long enough for hacker to do plenty... (0)

elucido (870205) | more than 2 years ago | (#35958832)

And once the information is out there its out there. And this is the sort of information which will lead to identity theft, blackmail, extortion, social engineering and other schemes which will only be revealed into the distant future.

This means there will be more than 70 million people affected by this. Anyone who got compromised, now their names, addresses, and personal information and passwords are free for all the hackers all around the world to access. Hackers in foreign countries, will be able to buy this information and wreak havoc and there is very little the authorities in this country will be able to do once hackers in China or Iran have access to this.

Class Action (1)

Anonymous Coward | more than 2 years ago | (#35958702)

So, this will probably turn into a class action lawsuit in the coming weeks. Lawyers will get incredibly rich, and those affected with get a free PS3 wallpaper or something.

Re:Class Action (1, Informative)

tysonedwards (969693) | more than 2 years ago | (#35958760)

Unfortunately, yesterday the Supreme Court ruled that one can not seek Class Action status for cases involving Products or Services.

See AT&T MOBILITY LLC v. CONCEPCION, Slip Opinion No. 09–893 (PDF) [supremecourt.gov]

Re:Class Action (0)

Anonymous Coward | more than 2 years ago | (#35958878)

Unfortunately, yesterday the Supreme Court ruled that one can not seek Class Action status for cases involving Products or Services. See AT&T MOBILITY LLC v. CONCEPCION, Slip Opinion No. 09–893 (PDF) [supremecourt.gov]

You think this is a bad thing?!

Re:Class Action (1, Flamebait)

TheEyes (1686556) | more than 2 years ago | (#35959086)

Unfortunately, yesterday the Supreme Court ruled that one can not seek Class Action status for cases involving Products or Services.
See AT&T MOBILITY LLC v. CONCEPCION, Slip Opinion No. 09–893 (PDF) [supremecourt.gov]

You think this is a bad thing?!

Hell yes it's a bad thing! When a large corporation can use a shrink-wrap EULA to force you into binding arbitration (read: a "court" they have literally bought and paid for), you will never again see that corporation bother with proper customer service. Remember, according to Sony you don't actually own your PS3; by signing up for the PSN, you are effectively renting that machine from Sony. From here on out, the customer is always wrong: our kangaroo court says so!

Re:Class Action (5, Informative)

fermat1313 (927331) | more than 2 years ago | (#35959048)

Wow, I don't think you actually read that document. That opinion had absolutely nothing to do with Products or Services, and it doesn't disable class status for lawsuits. It states that an arbitration agreement that disallows class arbitration is allowable. Basically, if you sign away your right to arbitration by class action, that is valid, and you can't later invoke class-wide arbitration.

Lots of misinformation around here sometimes.

Re:Class Action (1)

olsmeister (1488789) | more than 2 years ago | (#35959120)

if you look at the document in TFA you will see that this is filed as a class action suit.

Re:Class Action (0)

Anonymous Coward | more than 2 years ago | (#35959134)

From TFA: "and is seeking class action status."

Re:Class Action (1)

shentino (1139071) | more than 2 years ago | (#35959188)

Not quite.

I just gave the decision a once over and it only states that binding arbitration clauses in agreements can bar class action claims.

You can still sue for tort or other claims that are not the subject of such agreement.

He will have a hard time.... (1)

mysidia (191772) | more than 2 years ago | (#35958710)

Because of that, the complaint alleges, Sony did not allow its customers 'to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.'"

Normally to sue a corporation over claimed negligence; you actually have to show that you were harmed.

Meaning, the plaintiff will probably have to show his inability to take mitigating actions due to Sony's negligence actually resulted in a loss or damages.

I suspect that will be difficult to pull off, unless his CC account was hacked / fraud was committed against him already as a result of the intrusion into Sony's network.

As for damages related to 'closing the account'.... if he were taking mitigating action, he would have to incur that loss regardless of whether Sony informed him earlier or not.

Now his bank and the payment card industry should be the ones taking the strongest stance against Sony; since it's the banks that most immediately bear the cost of fraud (due to policy of $0 liability for unauthorized account use; once the account owner identifies the transactions as fraudulent).

Re:He will have a hard time.... (1)

ShiftyOne (1594705) | more than 2 years ago | (#35958762)

He will most likely try and get a settlement out of it before he has to show much damages. He should have went with the privacy route, it would be much easier to get a settlement, and you automatically get around $10 million without having to show harm.

Re:He will have a hard time.... (0)

Anonymous Coward | more than 2 years ago | (#35958764)

As for damages related to 'closing the account'.... if he were taking mitigating action, he would have to incur that loss regardless of whether Sony informed him earlier or not.

But he wouldn't have incurred it if Sony had taken proper precautions to secure his data.

Re:He will have a hard time.... (0)

Anonymous Coward | more than 2 years ago | (#35958940)

How do you know they didn't?

Re:He will have a hard time.... (1)

Fnord666 (889225) | more than 2 years ago | (#35958788)

Now his bank and the payment card industry should be the ones taking the strongest stance against Sony; since it's the banks that most immediately bear the cost of fraud (due to policy of $0 liability for unauthorized account use; once the account owner identifies the transactions as fraudulent).

The banks won't lose a cent. They will turn around and charge all of that fraud back to the merchants who accepted the charges.

He got notified? (5, Insightful)

FSWKU (551325) | more than 2 years ago | (#35958712)

I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

Sadly, I know how this is going to turn out. There will be a class-action suit in which Sony is fined heavily. But the vast majority of the money will go to some shark lawyer, and the only thing the people affected by this will receive is a free 1-month subscription to PSN+. Actually, I'll be surprised if they even give us that much.

If this DOES go class-action, I will definitely be on the lookout for my notice to opt out. If I see any erroneous charges on my card stemming from this massive amount of incompetence, I want to retain my full legal right to bring my own suit against Sony where they will be required to provide me with credit monitoring and credit fraud protection. I'm sorry, but a boilerplate "we're sorry" and some token gesture are NOT going to cut it here.

Re:He got notified? (4, Funny)

Labcoat Samurai (1517479) | more than 2 years ago | (#35958734)

I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

Indeed. On the blog, I noticed some apologist in the comment section trying to defend Sony by saying that it takes a long time to send 77 million emails. Tell that to a spammer, I thought.

Re:He got notified? (3, Interesting)

Bios_Hakr (68586) | more than 2 years ago | (#35958798)

Definitely. I'd love to see Sony deal with 77M suits in small-claims court.

At $500 per suit, that would be something like $38B.

Re:He got notified? (1)

FSWKU (551325) | more than 2 years ago | (#35958822)

Don't forget the legal fees incurred (both from Sony's lawyers AND having to pay the legal fees for every claim they lose).

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35958884)

Good luck getting by the mandatory arbitration clause.

Re:He got notified? (1)

FSWKU (551325) | more than 2 years ago | (#35958938)

But are arbitration clauses even valid in cases of gross negligence and witholding vital information needed to prevent financial damages?

Re:He got notified? (-1)

interkin3tic (1469267) | more than 2 years ago | (#35958942)

I'd hate to see that, as the investors would lose, the employees would lose, and the global economy would lose. Sony's huge. Most of their employees and investors did nothing to deserve this. Isn't gaming only a small part of sony?

I dislike that sony has been allowed to grow that big and powerful, but killing it in the courts would be terrible for everyone but the lawyers.

Re:He got notified? (3, Informative)

Bios_Hakr (68586) | more than 2 years ago | (#35958974)

It *needs* to happen. And happen big. Maybe after Sony files for bankruptcy, investors in other companies will start asking the CIO to ensure security at any cost.

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35959142)

Agreed. We can't keep allowing these huge corporations to do whatever they want at our expense. Then using the excuse of "investors and employees" as a reason to turn a blind eye to this kind of things.

Don't want to lose money as an investor? Sell you shares for this shitty corporation.
Don't want to lose your job? Don't work for corporate douche-bags with shitty ethics.

Shit's simple, huh? ;)

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35959004)

I'd hate to see that, as the investors would lose, the employees would lose, and the global economy would lose. Sony's huge. Most of their employees and investors did nothing to deserve this. Isn't gaming only a small part of sony? I dislike that sony has been allowed to grow that big and powerful, but killing it in the courts would be terrible for everyone but the lawyers.

WTF? Spare me the "too big to fail" crap. I'm tired of hearing this line of thinking. Sony cut corners -- some executive decided NOT to invest in proper security measures. Shit happens. Life moves on. You realize that Sony's _ENTIRE_ gaming division operates at a NET LOSS, right? Sony makes its money in the FINANCIAL SECTOR and subsidizes its gaming business. This lawsuit (even if it's in the billions) will NOT bring Sony down. So some research about the background of the company, before posting BS like this again... Thanks.

Re:He got notified? (2, Informative)

h4rr4r (612664) | more than 2 years ago | (#35959194)

Thats the risk the investors took. Don't like? Invest in more reputable companies.

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35958898)

"If I see any erroneous charges on my card stemming from this massive amount of incompetence" ..good luck PROVING that any future breach on your CC was directly the result of Sony's fuck up.

my friend works for a bank (perimeter security) they deal with this all the time (stolen cards and such).. one day they got hit with a ton of fraud cases.. after the dust settled, and with a little help from the FBI, they found out that the majority of the cards impacted were stolen years before in the TJ Maxx hack (http://www.msnbc.msn.com/id/17871485/ns/technology_and_science-security/). the bad buys are smart enough to wait until people let their guard down after a couple of YEARS. you might monitor your card and your identity for a while.. but the bad guys sit on your info for longer. identity theft and credit monitoring are pretty much useless because the bad guys wait for shit to cool down before using any of your info.

the reason I know this is because he told me to get rid of my card if I'd ever shopped @ TJ Maxx

do yourself a favor. cancel your card now.
do yourself a bigger favor.. get a card with a tiny limit.. say $500 bucks, and use that one online.

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35959160)

I know my bank offers one time credit card numbers, you go to your favorite online store, check out, get total, go to your banks website, create a new credit card number and a limit for the exact amount, use new number. credit card number is now useless for future transactions.

Re:He got notified? (2)

Destoo (530123) | more than 2 years ago | (#35959072)

I've just received my notice. What took time was the translation/localization to french, probably.

It's still unacceptable, but at least I received it.

Re:He got notified? (0)

Anonymous Coward | more than 2 years ago | (#35959190)

I still have yet to hear a single word out of Sony. Had I not seen the Playstation Blog post, I would have known NOTHING about the severity of this issue until it hit all the major news outlets.

I literally just 20 minutes ago got the e-mail from Sony. I learned about this issue from Kotaku and freaking CNN before Sony said a word. That's not really acceptable.

Re:He got notified? (0)

bobstreo (1320787) | more than 2 years ago | (#35959242)

Yeah got some email "allegedly" from Sony today. It takes a while to tell 77 million people to go to freecreditreport.com

Ugghh! (2)

Chubcorp (2032990) | more than 2 years ago | (#35958726)

It takes time to find out what has been compromised. The hacker won't just come out and say "All your base are belong to us" Sony told us when they found out. If they did say that there is a possibility on day one that it may be compromised then there would be a lot of hectic and closing bank accounts on an hunch. If nothing had been compromised and they told us it may be (on day one) then people would be mad and still sued Sony for misleading them. Crap happens, suing doesn't make it better. Plus nobody said you had to create an account, nor did you pay for it.

Sony was thinking about maintaining profits. (2)

elucido (870205) | more than 2 years ago | (#35959112)

They could have warned you but they didn't. They knew it would cause panic and this panic could cause them to lose some customers.

Now we know 77 million customers are owned by hackers. We can thank Sony for waiting so long to tell us, and we can thank Sony also for caring more about DRM and security of their intellectual property than the security of personal critical consumer information.

What? Is your private information not as important or as valuable as theirs? I wonder how many celebrities and powerful families got their personal information compromised over this...

Good FUCKING Grief... (-1, Troll)

Frosty Piss (770223) | more than 2 years ago | (#35958736)

These people, both the Lawyer Whores *AND* the shills they round up for their money making schemes, are as bad as or worse that Patent Trolls.

It's an abuse of the legal system, nothing more than a money grab.

Re:Good FUCKING Grief... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#35958896)

In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).

Re:Good FUCKING Grief... (-1, Troll)

Frosty Piss (770223) | more than 2 years ago | (#35959046)

In a country where corporations like Sony effectively own lawmakers, criminal remedies are impossible. Civil cases involving "lawyer whores" are the only recourse allowed (short of vigilantism).

So you're ethically OK misusing the US Legal System for no other reason than to fuck Sony out of some money you really do not deserve, because you don't like them? I would say you are ethically challenged.

Here's to sinking Sony's battleship (5, Informative)

cultiv8 (1660093) | more than 2 years ago | (#35958742)

46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4

Re:Here's to sinking Sony's battleship (0)

Anonymous Coward | more than 2 years ago | (#35958944)

Anton is great :)
What bullshit.........

Re:Here's to sinking Sony's battleship (1)

Anonymous Coward | more than 2 years ago | (#35959010)

That's not quite the whole key.

46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2

Re:Here's to sinking Sony's battleship (0)

Anonymous Coward | more than 2 years ago | (#35959050)

46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2

Re:Here's to sinking Sony's battleship (4, Funny)

shish (588640) | more than 2 years ago | (#35959060)

If those are the grid references for the different pieces of Sony's battleship, I'm surprised it can float in the first place o_O

And he is an affected party how (0)

Anonymous Coward | more than 2 years ago | (#35958752)

How can he sue for damages if he has no damages to sue for?

Re:And he is an affected party how (1)

tysonedwards (969693) | more than 2 years ago | (#35958824)

Well, you could always argue that being without your credit card for a week while waiting on your bank to issue another one is "damaging" to one's quality of life.

If they need to take time out of their day to go to the bank to get cash from a human, the additional time spent conducting cash transactions versus the use of cards, the time to get your accounts updated to use the new Card Number to prevent your power from being shut off, and so on, then "damages" can actually be shown.

Not much different from the random times when your wallet is stolen.

*facepalm* (-1)

Anonymous Coward | more than 2 years ago | (#35958768)

Sounds like people are jumping on the lawsuit train because it's the american way o7. Translation: crop of morons trying to cash in on a get rich quick scam. Never gonna fly and those filing lawsuits need the swift application of a tire iron upside the head.

A password crackers gold mine. (1)

elucido (870205) | more than 2 years ago | (#35958778)

So why would this data be valuable to hackers? Two reasons I can think of.

1. It's a password gold mine. Since most customers reuse passwords knowing one set of irrelevant passwords can give clues or even directly produce another set of more valuable passwords.

2. If it's information such as full name and address, and other personal information, this information can be sold on the underground black market or in the regular market. Hackers can use the personal information to commit crimes against these people, to intimidate, or to socially engineer. And if any Sony employees also had accounts it's possible they could have been compromised as well.

So the way to protect against this is simple. Never reuse passwords. Encrypt the names and addresses so that it's only accessible from inside the building. This wont prevent hacking, but it will make it hard enough so that only an insider can hack. Something as simple as
a smart card ID for all employees accessing the personal information would be enough to create an audit trail, make it harder to access remotely, and to provide the decryption key in an easy to use intuitive format. You scan your ID into the computer when you get to work and it can decrypt. You remove the ID and it's encrypted. Someone hacks into it, unless they have an idea card it should be encrypted.

Re:A password crackers gold mine. (1)

Fractal Dice (696349) | more than 2 years ago | (#35958860)

Also a good idea to not use real names and push credit card companies to develop a system of one-time tokens that are only good for a single buyer-seller relationship ( or even for a single translation ) so that the stolen information has little value.

Like Bitcoin? (1)

elucido (870205) | more than 2 years ago | (#35959024)

I agree with the one time tokens. That would be a good start.

I think we have to consider that even if we did secure financial information, and we definitely should, what about the address and other information? The company has to have that unless we can find a way to secure it offsite and add it to the one time token concept. This way the entire token expires immediately after payment, including the real name and address which could be within the token.

DRM anyone? (5, Insightful)

lasinge (1009929) | more than 2 years ago | (#35958780)

It's funny how Sony works so hard to protect their data and content via all their DRM attempts, when it's their customer's - not so much. On the other hand, they now have something to point to when people want to run whatever OS they want to run on their machines. Still, they can't stop it, they should focus on keeping their customer's credit card info out of harm's way (remind me why they need to keep persistent credit card data anyway? That should be an opt in only type of thing, with a required expiration date otherwise.) On a related note, when I set up a new account at my bank they only allow alpha-numerics with no special characters. WTF? Try to explain rainbow tables to a bank representative. So I used all of them ... I had the longest password she had ever seen.

Re:DRM anyone? (0)

Anonymous Coward | more than 2 years ago | (#35958818)

1 .. 2 .. 3 .. 4 .. 5 .. ?

That's the same password to my luggage!

Re:DRM anyone? (1)

Sinthet (2081954) | more than 2 years ago | (#35958858)

Storing credit-card numbers == potential cash for Sony. Ethically, I agree it should be an opt in type of thing, but by making it automatic, I'm assuming (I don't own a PS3) that people can automatically buy content, which they're probably much more likely to do when they dont need to get up off the couch to get their credit card.

Re:DRM anyone? (0)

Anonymous Coward | more than 2 years ago | (#35958982)

Sorry, I got a chuckle out of "I had the longest password she had ever seen."

Re:DRM anyone? (0)

Anonymous Coward | more than 2 years ago | (#35959014)

Mod parent up, it's the most interesting point yet!

Well... (5, Interesting)

Anonymous Coward | more than 2 years ago | (#35958782)

Actually I just got a notifaction from Sony abou this today.
And According to this http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/
The CC's are already in the wild.
I know Visa is aware of the issue. They have reissued me a new card based on this information.
So yea it could go somewere

Is a lawsuit necessary at this stage? (1)

joeflies (529536) | more than 2 years ago | (#35958796)

So he's after recovery of damages, but so far it doesn't indicate that he's experienced fraud, and it's not going to come out of his pocket anyways (the credit card company would handle any fraudulent charges).

He also wants credit card monitoring services, but it's not exactly clear that Sony would not have offered such services. It sounds like they're still investigating the extent of the breach. By making it part of the lawsuit, just how long will it take to get the services? After the lawsuit has been settled several months from now? I'd bet that he'd get the services a lot sooner through public pressure than as a remedy of a lawsuit.

Which leaves the third part of what he seeks - recovery of lawyer fees. Now it's pretty clear why this lawsuit exists at this stage - the opportunity for the lawyers to get rich in the name of consumer protection.

Re:Is a lawsuit necessary at this stage? (0)

Anonymous Coward | more than 2 years ago | (#35958984)

Sony has already announced what happened...NOW is the time for them to offer credit monitoring services. Not in a month after the data has already made its rounds in the hacker circles.

Check your EULA... you probably can't sue (3, Insightful)

artor3 (1344997) | more than 2 years ago | (#35958846)

Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice. They based this decision on a 90 year old law that was written to cover maritime shipping disputes.

Of course, since most contracts these days state that the corporation has the right to change the terms at any time without notice, this basically means that you can no longer sue a company that you've entered into a contract with.

Still think you have rights? Not as long as a Republican holds office!

Re:Check your EULA... you probably can't sue (0)

Anonymous Coward | more than 2 years ago | (#35958922)

Sony can put anything they want into their EULA, that doesn't mean it's legal or enforceable.

Re:Check your EULA... you probably can't sue (1)

artor3 (1344997) | more than 2 years ago | (#35958946)

Keep telling yourself that. The Supremes just ruled otherwise, and their opinion is the one that counts.

Re:Check your EULA... you probably can't sue (2, Informative)

fermat1313 (927331) | more than 2 years ago | (#35959118)

Um, you completely don't understand this. Arbitration is a long-standing method of settling a dispute between parties. It is extremely common in Professional Services engagement agreements, and it is also very common in other service agreements. I'm quite sure almost every agreement you sign for internet, phone, electricity, cable TV, etc also includes arbitration language.

Arbitration is a good thing. It allows small matters to be handled quickly, less expensively, and without mucking up our already congested court system. If you read the opinion, the court indicate that AT&T's arbitration agreement is specifically written to encourage the company to act in good faith. If a customer receives an arbitration award greater than the last written settlement offer, the customer gets $7,500 + twice any lawyer's fees. Clearly, AT&T has incentive to provide a good settlement. In this case, AT&T would have offered the plaintiffs $30.22, which is what the plaintiffs were (perhaps) wrongly charged in sales tax. Any decent arbitrator would have given the plaintiffs $30.22, which is what they were their real loss. Trust me, arbitration agreements are a good thing. Our court system would be practically non-functional without them.

Re:Check your EULA... you probably can't sue (3, Informative)

lenroc (632180) | more than 2 years ago | (#35959148)

Our wonderful, conservative-activist Supreme Court just ruled today that any company may stick a line in their EULA stating that by using their product, you forfeit the right to sue, and must instead use a private arbiter of the corporation's choice.

Not true, actually. They ruled [npr.org] that customers that have signed a contract with a clause to that effect are bound to it. AFAIK, there is no settled case law saying that a shrinkwrap EULA is equivalent to a valid, signed contract.

Re:Check your EULA... you probably can't sue (1)

xMrFishx (1956084) | more than 2 years ago | (#35959156)

EULAs don't trump consumer laws, especially in europe. You don't have a signature on a EULA, they don't mean jack shit over here. The ICO (information comissioner's office) - responsible for the data protection laws in the UK is already looking into this.

Are the grounds for this lawsuit even valid? (3, Insightful)

Mad Leper (670146) | more than 2 years ago | (#35958936)

Hmm, something not right here.

PSN is free, so it's hard to imagine how anyone is entitled to any compensation there unless it's through a goodwill gesture by Sony (which they definitely should do).
No proof yet any credit cards have actually been compromised. And before you all get puffy and worked up, literally, NO PROOF of any CC problems that can be linked to the PSN breach have been proven (yet).
There's no way the banks would allow Sony to have access to CC accounts without being regularly audited, never heard of any problems there. So I would think it's safe to assume they've been following safe business practices or else we would have heard something by now.
According to latest reports, Sony reported the possibility of account & CC details being compromised a little over a day after they found out. Difficult to claim that's an egregious length of time given the circumstances.

With all that plus the fact that it's common knowledge that Sony has been repeatedly targeted by hackers and thieves out of revenge for Sony having the audacity to protect their network and customers, this lawsuit is going to have a very difficult time making any headway.

  So what is exactly this lawsuit about? Since this originates in the US (the most litigious country in the world) I say it's just more ambulance chasing i.e. business as usual.

Re:Are the grounds for this lawsuit even valid? (0)

Anonymous Coward | more than 2 years ago | (#35959068)

We're in some pretty muddy water with this one. PSN is *NOT* free since you need to have a PS3 to use it (barring other devices that might use it, eg. PSP). If I go out and buy a PS3 and then I can't use it due to PSN being down then is there a cause for action? I'm essentially being locked out of a device that I've paid for. We don't yet know the legalities of "always-on" tied services but it's pretty clear right now there's a bunch of people that can't play multiplayer games on a console that they've bought. Now if I were being sensible I'd say "who cares? Wait a few days and try again" - just like I'd expect my parents to have told me several years ago. Given the "I want, I want, I WANT!! GIMME!!" attitude of modern kids and their litigious parents these days though I wouldn't be surprised to see this cranking through the courts.

The second part of the question is whether having your card details stolen is a grounds for action either. The US has no data protection law (except California) so I'd immediately have to say "Um, no" and that's the echo you'll get from a courtroom. Is that right? Probably not, but that's beyond the point. Sony can't really be held responsible for every Joe Haxx0r in the universe that's out to get them, and you can't defend against 100% of threats no matter what software you're using. It's pretty hard to prove negligence when there's no real gold standard for security.

Two Words: Electronic Discovery (0)

Anonymous Coward | more than 2 years ago | (#35958948)

Sigh. What is with all these "hard time showing it" posts. He won't have a hard time if he gets a remotely qualified lawyer if they're at all at fault, although it may be incredibly costly.

IANAL, but maybe one can comment.

By filing the lawsuit, Sony has effectively been put on notice that they have a duty to preserve any and all evidence reasonably remotely related to this incident. They can still perform PR, issue press releases, study the breach...whatever. But any and all notes, emails, IMs, data records, metadatas, and files that are reasonably likely to have anything related to this incident must NOW BE RETAINED and are no longer subject to normal corporate data retention policy. That means they can't just ship the computers off to some third party forensics specialist who can conveniently lose them if they decide they can't get enough information to press charges against whoever did it. It means that if they have a policy of deleting any unused emails in 90 days, they probably get slapped hard. I believe some states even treat this as presumptive guilt these days.

Beyond any sort of wall-street /corporate data retention records, even their day to day correspondences are presumably subject to discovery...

Should they delete an email, a voicemail, shred a fax...whatever--they are likely to be sanctioned in the event it wasn't a reasonable accident. Given the nature of how corporations and the legal system work, the only reasonable thing to do if you suspect Sony was at fault IS TO FILE IMMEDIATELY. Because in a month, some of the relevant data may already be long gone.

And given we know they sat on it for a week, it seems reasonable to me to assume they have gravely screwed up--if only in due diligence and their ability to figure out what went wrong in event of a problem. And now Sony has to preserve all that related ESI and can't just shred it to protect their share price.

There's a reason they say justice favors the vigilant--given the workings of the system--the sooner you file, the more likely they are to have information you can access.

SCEA or SNEA (0)

Anonymous Coward | more than 2 years ago | (#35958966)

I got an email last month telling me that I needed to agree to new terms of service for the PSN, as they were transferring ownership from SCEA to a new Sony subsidiary, Sony Network Entertainment of America (SNEA). According to the terms, if I didn't agree, my PSN account would be closed and I would actually get a refund of outstanding funds in my wallet (i.e. it's serious enough for Sony to actually part with money). I haven't bothered with looking at the new terms (either way, PSN is useless when I'm still running firmware 3.15), but I have to ask: who exactly got attack here? Is there a meaningful difference? Would my info be on the compromised systems when I've not consented to SNEA's terms?

Delayed Reaction.. (1)

Billlagr (931034) | more than 2 years ago | (#35959044)

Well, I recieved 'official' notification about this approximately 2 hours ago - 8.55am, April 28 (Aus EST). The email is vague hand waving at best, and they suggest once that the service is restored, the you change passwords and check your credit card statement. Of course, they couldn't have my CC details, because Sony wouldn't have stored such information in plain text, now would they...?

A departure for me- (1)

rogerdugans (902614) | more than 2 years ago | (#35959054)

Usually I am against the rampant lawsuits over hot coffee and anything else the shills can think of, but this is one I am in favor of.
Sony seems to have taken over as the current best example of "Evil Large Corporation" in the public eye, and deservedly so.

Now if we could just get the pharmaceutical companies.......

Sony does have the image of a devilish corporation (1)

elucido (870205) | more than 2 years ago | (#35959078)

And not protecting customer information is the single worst thing they could do to harm their image.

I'm not even a Sony customer, and I don't own a PS3, but now that I see how lax their security is with such critical personal information, I will not be buying Sony products in the future. Sony is going to lose customers due to their obsession about profits and making money even at the expense of consumer information security.

Just received (1)

flyonthewall (584734) | more than 2 years ago | (#35959074)

This is one week after the shutdown:

"Add PlayStation_Network@playstation-email.com to your address book

"line" (to account for the junk filter)

PlayStation(R)Network

"line" (to account for the junk filter)

Valued PlayStation Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.
  While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority.
Please contact us at 1-800-345-7669 should you have any additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment

That's gonna fail because of this... (0)

Anonymous Coward | more than 2 years ago | (#35959080)

http://www.latimes.com/business/sc-dc-0428-court-class-action-web-20110427,0,1239412.story

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...