Friday, April 29, 2011

The Bigger They Are...

Rumblings started a week ago as the Sony Playstation Network went offline, and stayed offline.  I wasn't initially very concerned about this, but have been encouraged to look into it now that more information is available, and I have become much more concerned.

From the ominous note at
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. [emphasis supplied]
 If you will recall, I was concerned about the identity theft / social engineering dangers from the Epsilon data breach.  This breach is much more serious because of the scope of information lost: everything necessary for successful identity theft, plus the potential for online identity takeover and even the possibility of credit card disclosure.  Reports have placed the record count at between 70 and 80 million!

The quantity of the confidential information involved here is stunning, and for an attacker to be able to obtain this volume of information in the matter of a couple of days seems extreme.  It would seem prudent for a company with this size and scope of a database to be using database access monitoring and data loss prevention systems.  It will be interesting to find out whether they actually did have essential business intelligence, monitoring, and policy enforcement systems in place.

No comments:

Post a Comment