Sony Learns the Hard Way that Protecting User Privacy is Not a Game

Apr 28, 2011
By:
Chris Conley

Page Media

ACLU of Northern CA

[Update: Sony has stated that they did not "understand the scope of the breach" until April 25. It remains unclear at what point they became aware that at least some user data had been compromised.]

Less than a week after the revelation that Apple's iPhones and iPads keep location data logs, Sony announced a doozy of a privacy snafu of its own: a recent security breach on its PlayStation Network resulted in the loss of records of some 77 million Sony customers. There are still more questions than answers about the breach itself, but we can already identify two ways that Sony dropped the ball: failing to use established best practices to protect user data before the breach, and failing to respond quickly and effectively after the breach. We should expect better from companies with whom we entrust our personal information.

It's not yet clear whether the breach captured users' credit card numbers (though many users have reported fraudulent credit card activity since the breach), but it did expose not only personal information (name, street address, email address, birth date) but also the user's login name and password. This simply shouldn't happen. As one security blog put it: "Only the most grossly incompetent of developers would actually store passwords as plain text [files] in the database, right?" Unfortunately, it appears Sony may have done just that, turning an already-serious data breach into an "identity-theft bonanza."

Compounding the problem, Sony apparently learned of the breach on April 19, but didn't acknowledge the extent of the breach until a week later. Instead of promptly coming clean and doing its best to protect users, Sony's delay put users at additional risk. Doing so has attracted the ire of Sen. Richard Blumenthal of Connecticut, who chastised the company for the "troubling lack of notification . . . about the nature of the data breach," and has already triggered one lawsuit against the company.

Sony has suggested a few things that affected users should do to protect yourselves:

  • Change your password on any other site that has the same or similar password as your Sony account, and change your Sony password as soon as the network is restored.
  • If you have a credit card associated with your Sony account, watch your account for fraudulent activity and consider placing a fraud alert with credit reporting agencies.
  • Be particularly suspicious of any contact (phone call, email, etc.) requesting your personal information, including any requests appearing to come from Sony.

If you're a PlayStation Network user, these seem like good steps to take. But Sony also needs to do a better job of protecting this information in the first place. If companies want us to entrust them with our personal information, they need to earn that trust by taking practical steps to protect that information, including joining us to push for modernized privacy law. Hopefully Sony's painful lesson will encourage them and other companies to do the right thing now and avoid repeating this experience later.

Chris Conley is the Technology and Civil Liberties Fellow with the ACLU of Northern California.