What Does Sony Owe Consumers After PSN Nightmare?

What responsibility does Sony have to the 77 million Playstation Network customers who found out this week - days after the fact - that their personal data, online account info and credit card information were stolen by identity thieves?

"When I see something like this, I want to scream," says Florida identity theft expert Denise Richardson. "It's like a goldmine of information."

Companies in Sony's position typically respond by offering affected users a year of free credit monitoring--something any consumer in the U.S. is entitled to already. "To me, that's nothing," Richardson says. "Thieves are sitting back laughing at that."

Sophisticated data thieves have moved beyond stolen credit cards and use personal info like birthdates and home addresses to open bank accounts, obtain medical services or collect other people's unemployment checks. The fact that many of Sony's 77 million compromised accounts likely include teenagers and young adults makes it worse, she says, because they may not know their data was compromised for years, compounding Sony's potential liability.

"What happens next depends on how much damage comes from it," Richardson predicts. "It's going to cost Sony billions, is my guess."

Sadly, it falls to individuals to cancel credit cards, change passwords and watch their email and other communications carefully, and perhaps think twice about typing in reams of personal info on each website that asks for it. If you're looking for help try our PSN Hack Survival guide.

Sony says the data thieves may have collected credit card numbers and expiration dates along with users' names, physical and email addresses, PSN online handle and password, birthdate and purchase history, and password hints.

So yeah, they know your mom's maiden name, favorite musician and what elementary school you attended. And they know your password, so if you're the kind of person who uses the same passwords over and over, you might be in for a series of unpleasant surprises over the coming months.

But no worries, the consumer electronics giant said today--the three-digit security code found on the back of your credit card was NOT included in the breach!

"That," said computer law expert Mike Godwin, "is like the weakest defense ever."

Mike Godwin
Adding a second 3-digit code to a 16-digit credit card number is "relying on security practices that are a couple of decades old," said Godwin, who was the first staff counsel at the Electronic Frontier Foundation. Assuming that is enough to wave off info thieves is symptomatic of a larger issue: "The entire system is broken."

Sony will have to admit that it violated its customers' trust and "start from the ground up," Godwin said. "They have to revamp their entire privacy system and not just paper over their mistake."

In the wake of the breach, Sony is facing multiple legal and regulatory challenges. Godwin adds, "A hugely comprehensive government action would actually help," although Sony's worldwide customer base complicates the possibility that regulatory action could do any good.

Subscribe to the Security Watch Newsletter

Comments