April 28, 2011
Sony revealed its popular PlayStation Network had been breached, compromising data from as many as 70 million users.
The Japanese electronics conglomerate said it learned about the “intrusion” on April 19 and subsequently shut down its PlayStation Network and Qriocity systems, before informing the public of the breach on April 25.
In a post on the PlayStation blog, the company noted that the following data is believed to be compromised: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID; it is also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers may have been obtained.
Sony also noted—“out of an abundance of caution”—that credit card numbers (excluding security code) and expiration dates of users who provided credit card information to PlayStation Network or Qriocity systems could also have been obtained. *
The company is working with an outside security firm to investigate what happened; however, a law suit has already been filed against the company.
As noted in various reports, gamers are likely to have used the same passwords for email and social networking accounts, which could be used by criminals to access those accounts in search of bank account passwords and spam messages.
The Sony breach follows hacks at the technology marketing firm Epsilon and RSA, the security division of EMC. (Read more here.)
The past week also saw scam phone calls and text messages sent out to bank and credit union customers in Tri-Cities, Wash., following similar attacks on credit unions in the Portland and Olympia areas. The calls asked members for identifying information from the person, while the text messages claim the person's card has been deactivated and instruct them to call a specific telephone number.
At Association’s Northwest CEO Summit last week, Oregon Attorney General John Kroger explained that internet fraud is a growth industry, costing Oregonians $1.3 million last year. It is also difficult to prosecute because most of them are run from locations out of the country, primarily in the Philippines, West Indies and China.
Kroger explained the key to keeping credit union members safe is education. Members who know about the most common methods of fraud are less likely to fall into the traps set for the unwary. Newsletter articles and website mentions are great, but they may not be enough.
These incidents underline the need for strong member communications and security procedures. It is important to stress that members should never provide sensitive information to an unsolicited call, text or email. Members should only contact their credit unions using published phone numbers if they have any questions or are responding to a message left from their credit union.
If your member had provided their card information to a phishing attack or believes it has been compromised in a data breach:
- Review current activity with your member to ensure no unauthorized transactions have occurred;
- Cancel and replace any card that may have been compromised; and
- If any unauthorized transactions have occurred, follow your normal procedures for handling those transactions.
Note new Washington State law, pushed by the Association, allows credit unions to reclaim the cost of reissuing cards from the merchant that compromised the data, if appropriate security measures were not taken.
* Update: In a question and answer blog, posted on the PlayStation website, the company said: "The entire credit card table was encrypted and we have no evidence that credit card data was taken.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
Questions? Contact Regulatory Analyst David Curtis: 206.340.4785, firstname.lastname@example.org.