Privacy Commissioner and Others Up In Arms about Sony PlayStation Network Hack

Matt Lonsdale is a JD candidate at Dalhousie University.

On April 20th, 2011, disappointed gamers discovered they could no longer connect to the PlayStation Network. While Sony initially blamed the outage on technical problems, it was later revealed that the service had been deliberately hacked. The incident has sparked a flurry of activity among government officials, law enforcement, politicians and private citizens.

The PlayStation Network is an online service, which allows owners of Sony’s Playstation 3 game console to play multiplayer games, stream movies and purchase new content. The perpetrators had gained access to a database containing a wealth of personal information on PlayStation Network’s customers. Qriocity, a music and video streaming service owned by Sony, was also affected by the attack.

While the extent of the breach is not known, the database accessed contained the personal information of over 75 million PlayStation Network users. In an email to users dated April 27, 2011, Sony wrote, “we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID”. Credit card data was encrypted and stored in a separate database. While there is no evidence that this information was accessed, Sony has not ruled out the possibility.

Sony’s customers were understandably angry about the breach. In response to this, the US-based Rothken Law Firm has filed a class action law suit in California, alleging that Sony “failed to take reasonable care to protect, encrypt, and secure the private and sensitive data of its users”. The lawsuit seeks information about the breach and Sony’s data security practices, as well as monetary compensation for affected users.

As might be expected in today’s privacy-conscious world, the breach has also received significant attention from government. The attack itself is being investigated by the FBI’s cybercrimes unit in San Diego. A US House of Representatives subcommittee, as part of a hearing entitled, “The Threat of Data Theft to American Consumers”, submitted written questions to the Chairman of the Board of Directors of Sony Computer Entertainment America. Britain’s Information Commissioner’s Office has also been in contact with Sony and is investigating whether the privacy laws of that county have been violated.

In Canada, the office of the Privacy Commissioner was not notified of the breach by Sony. Office spokeswoman Valerie Lawtwon wrote that “We are currently looking into this matter and are seeking information from Sony… [W]e will determine next steps once we have a full understanding of the incident.” The Personal Information Protection and Electronics Document Act does not place an obligation on organizations to report incidents of this kind to the Office of the Privacy Commissioner. However, Schedule 1 of that Act does contain a number of principles which organizations are expected to adhere to, including the implementation of “procedures to protect personal information”. Sony has stated that all personal information was protected by a sophisticated security system, although unlike credit card data, personal information was not encrypted. On May 4, 2011, just two weeks after the breach, Privacy Commissioner, Jennifer Stoddart, gave a speech at the Canada 3.0 conference calling for Parliament to grant the Office the ability to levy substantial fines against organizations. She expressed dismay that Sony had not notified her office of the breach, saying that “I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance”.

  1. Here is the CEO of Sony, Howard Stringer’s letter to PlayStation Network customers about the situation:

    I know that anybody can be hacked on the Internet, even a giant like Sony, but it doesn’t seem like the real issue has been addressed: their customers were putting their personal information at risk all along. Maybe that’s something PSN users are consenting to by using the service (recall this previous post here on IPOsgoode:

    Sony can offer free services to make up for what has happened, but that is only addressing the inconvenience of having the service shut down for this period of time. It will be interesting to see if the privacy concerns of their customers remain at the forefront, or fade away over time. Convincing consumers that Sony’s service is secure is not something that can be done as easily.

  2. Although there is a lot of speculation regarding the identity of the hackers and their motives (Sony blames Anonymous but Anonymous denies it), I think this could signify a tipping point for how large corporations handle their customers’ private data.

    Until recently, customers in general have been fairly lax and uninterested in the way their personal data has been utilized by corporations. It is hard to blame them. After all, it is not immediately obvious the harm that can be done (outside of credit card numbers) if basic personal and account behaviour information falls into the wrong hands. Additionally, it is likely that most people assume sophisticated corporations will properly encrypt and protect sensitive data.

    While it is not entirely clear, there is chatlog evidence (from an IRC channel for PS3 owners trying to hack or modify the devices for purposes not approved by Sony) which suggests that much of Sony’s security measures were subpar and outdated. If this turns out to be true, it would give consumers further reason to demand companies implement greater security measures.

    Furthermore, it has also been suggested that stolen data is not the only danger. Given more time, it is possible the hackers could have potentially taken control of millions of PS3 systems, resulting in a network as powerful as many nations’ supercomputers. The potential damage of this type of attack was demonstrated on a smaller scale by researchers in 2008 with 200 PS3 machines.

    Given the significant amount of media attention and number of people affected, it will be interesting to observe the impact on consumers’ and businesses’ interest in protecting personal data.

Comments are closed.