via USA TODAY
The external hack of Sony’s PlayStation Network represents one of the largest data breaches ever, security experts suggest.
Dr. Paul Judge, chief research officer and vice president of Barracuda Networks, says the PSN intrusion is "arguably the second largest data breach ever," trailing only 2009’s Heartland Payment data breach, which impacted 175,000 merchants and millions of payment card transactions per month.
"The most troubling thing about this breach is the breadth of data that was leaked: name, address, passwords, purchase history and possibly credit card numbers," says Judge. "This provides potential ammunition for almost any type of attack."
Other security experts concur. "The Playstation Network hack is one of the largest in history, with over 70M records compromised. Sony’s initial delay and vagueness about the nature of their security breach gives hackers the opportunity to exploit that data and potentially mine more of their customers’ information," says Mandeep Khera of application security firm Cenzic. "While we can understand that Sony had to get forensics done to find out how it happened, there’s no excuse for them to not inform the customers right away … Consumers trust big businesses like Sony to keep their data safe because of their well-known name in the electronics industry. Once that trust is gone, they may begin to look elsewhere. The ultimate lesson here is that all businesses are vulnerable to hackers, regardless of size or industry."
Adds Joe Gottlieb, president and CEO of security information and log management firm SenSage: "This is a big one. The most known breaches are Heartland and TJX. These are big companies that handle lots of credit cards and their breaches were in the same neighborhood. What’s notable about this one is, to my knowledge, it’s the first gaming network that’s been compromised. So rather than a traditional retail operation or marketing operation that has a lots of customer records in a database that gets compromised, this one is one of the biggest and fastest growing frontiers of our digital age, the whole gaming network thing."
PlayStation Network account holders must be wary in the wake of this breach, he says, "not to be giving any personal data online or when they receive an email or unsolicited communication. Let’s say the attackers only got email addresses. They are going to initiate a campaign to act as if they are Sony sending an email to all their customers alerting people to this situation and then requesting them to improve their own defense against anything that could result from this attack by updating their account. That is a phishing attack and it would go against all these customers. That is probably already occuring right now."
Sony announced Tuesday the "external intrusion" that shut down PSN exposed users’ personal data and potentially credit card information. The response has also triggered some backlash, including from a U.S. senator calling Sony’s actions "troubling."
As for what PSN users can do to protect themselves? Barracuda’s Judge suggests replacing the credit card used for the account, change passwords similar to the PSN account and subscribing to an identity theft monitoring service.
"Sony will need to follow up with some level of compensation for the users that had to cancel credit cards and subscribe to identity theft monitoring services," Judge says.
See photos of: Sony, PlayStation