![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneSony PSN has been down for over a week now. Unknown parties compromised their system and broke in to their billing and authentication database(s), stealing 77 million accounts and credit card information. In a monumental act of stupidity, Sony stored all passwords as plaintext, they were not hashed, with or without a salt value. The bad thing about this is that so many people use the same password for multiple online accounts, and since their email address was also compromised, those people could be compromised all over the interweb.
The only good thing about this is that Sony did ont store the CVN on the back of the card with the card data, so it was not compromised. This makes it much harder to make charges on the stolen cards and greatly reduces their value.
This also affects Sony's Qriocity network, whatever that is. Apparently PSN and Qriocity are operated and managed by an outside marketing company, not that it absolves Sony of any responsibility.
http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/
http://yro.slashdot.org/story/11/04/27/142238/77-Million-Accounts-Stolen-From-Playstation-Network
One thing that I find interesting is that the credit card industry has standards that businesses must follow to secure credit card data. (Remember the TJ Maxx hack?) If you're a small merchant and all you have is machines to process in-person credit card purchases, it's no big deal. But if you store credit card data for repeat purchases, i.e. monthly network access, you are expected to have pretty good security. Clearly Sony is in gross noncompliance with these directives. I've read them, it takes a very skilled and serious staff to implement, maintain, and audit them.
Here's an article on Wired theorizing about who might have committed the hack. There's some very interesting comments, possibly indicating that some of the information may already have been sold to telemarketers and scammers.
http://www.wired.com/threatlevel/2011/04/playstation_hack/
The law suits have already begun, and it's guaranteed that they'll seek class action status. And as Sony and the network provider was so grossly negligent, it's going to hurt Sony as they so deserve.
http://tech.slashdot.org/story/11/04/27/2122241/Sony-Sued-For-PlayStation-Network-Data-Breach
The only good thing about this is that Sony did ont store the CVN on the back of the card with the card data, so it was not compromised. This makes it much harder to make charges on the stolen cards and greatly reduces their value.
This also affects Sony's Qriocity network, whatever that is. Apparently PSN and Qriocity are operated and managed by an outside marketing company, not that it absolves Sony of any responsibility.
http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/
http://yro.slashdot.org/story/11/04/27/142238/77-Million-Accounts-Stolen-From-Playstation-Network
One thing that I find interesting is that the credit card industry has standards that businesses must follow to secure credit card data. (Remember the TJ Maxx hack?) If you're a small merchant and all you have is machines to process in-person credit card purchases, it's no big deal. But if you store credit card data for repeat purchases, i.e. monthly network access, you are expected to have pretty good security. Clearly Sony is in gross noncompliance with these directives. I've read them, it takes a very skilled and serious staff to implement, maintain, and audit them.
Here's an article on Wired theorizing about who might have committed the hack. There's some very interesting comments, possibly indicating that some of the information may already have been sold to telemarketers and scammers.
http://www.wired.com/threatlevel/2011/04/playstation_hack/
The law suits have already begun, and it's guaranteed that they'll seek class action status. And as Sony and the network provider was so grossly negligent, it's going to hurt Sony as they so deserve.
http://tech.slashdot.org/story/11/04/27/2122241/Sony-Sued-For-PlayStation-Network-Data-Breach
