Not one to let Epsilon or Oak Ridge National Laboratories hog the media spotlight, Sony, a seasoned expert at security blunders such as the famous Sony rootkit, has taken the spotlight for one of the biggest security breaches of all time. Hackers were able to access Sony’s network and according to Sony http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/ the information compromised includes “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”

Given the number of users who use the same password for multiple sites, I would expect there to be a ton of accounts compromised. This will go far beyond PlayStation, email and social networking accounts are likely to be compromised and even bank accounts as well.

If you have a Sony PlayStation Network/Qriocity account you need to assume that all of the data mentioned is in the hands of the bad guys. If you use the same security questions and answers at other web sites, you need to change the answers. Take a look at https://www.welivesecurity.com/2009/05/04/honesty-is-not-the-best-policy-for-password-resets for pointers. If you use the same password on other sites that you used on the Sony site, you need to change those passwords. Of course you will need to change your Sony password when the PlayStation Network site comes back online.

Sony has additional recommendations at http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/. One of the recommendations that bears merit is for US residents to have the major credit reporting agencies place fraud alerts on their files. Sony warns that this may make it difficult for criminals to open credit in your name, but it also may make it a bit more of a hassle for you to open new lines of credit.

I am struck by the contrast between this incident where Sony is warning people that there is a problem and the Sony rootkit fiasco where Thomas Hesse, President, Sony BMG Global Digital Business, said “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” Perhaps Sony knows that most people do know what identity theft and fraud are.

If you are a security expert looking for a job, I would keep my eyes on the Sony website as clearly they have significant need for experts who understand defense in depth. Knowledge of encryption and multi-factor authentication systems will probably be desired as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America