Focus on Sony: The PlayStation Network Security Breach

IS510 JAMES DELLINGER GRAINNE MALONE JENNIFER MURPHY RAN ZHANG

Overview
Focus on Sony

What data do they Collect?

High Profile Breach What Happened and Why?

The Aftermath

Response Policies Introduced as a Result What has Happened Since? Vulnerabilities in Legalisation

Sonys

Sony
Worlds leading digital entertainment brands, with a large

portfolio of multimedia content.

Sony Computer Entertainment The PlayStation

Network (PSN)

PSN Data Collection

Name

Address
Country E-mail address

Date of Birth
PSN password and login name Credit Card Details

Purchase History
Answers to Users Security Questions

What Happened?

Security Breach in PlayStation Network

Shutdown of service 77 million users put at risk

Personal information stolen

Security Issues
Weak security system Lack of random number in algorithm

Lack of Firewalls
Obsolete web applications Lack of Management support

Response from Sony ?

Very slow reaction time

Poor communication Lack of transparency

Lack of direction

Measures Introduced
Software monitoring Penetration and Vulnerability testing

Encryption
Firewalls Security personnel

Creation of a New Position - CISO

to oversee information
security, privacy and internet safety across the company, coordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to

Sony.
Sony Corporation

Number of Actions Taken

Moved PSN server to a new, more secure and unnamed

location
Enhanced levels of data protection and encryption Enhanced ability to detect software intrusions,

unauthorized access and unusual activity patterns

Additional firewalls

Established a new data center in an undisclosed

location with increased security

Changes of Terms of Service

September 2011 - No Suing Policy!

Other than those matters listed in the Exclusions from Arbitration clause, you and the Sony Entity that you have a Dispute with agree to seek resolution of the Dispute only through arbitration of that Dispute in accordance with the terms of this Section 15, and not litigate any Dispute in court. Arbitration means that the Dispute will be resolved by a neutral arbitrator instead of in a court by a judge or jury.
- Section 15, Terms of Service, Sony Entertainment Network

Recent Scandal ?

Ahhhhhh Not Again!!!

June 2011 - SQL injection attack against Sony

Pictures disclosed personal information of over 1 million Sony customers

June 2011 an attack against Sonys Developer

Network posted 54MB of Sony developer source code.

October 2011 Brute-force attack broken into

93,000 PlayStation and Sony network accounts

January 2012 attack against a several websites

operated by Sony for the corporations support of the US Stop Online Piracy Act (SOPA).

Issues with Legislation

Security breaches of this nature fall under data protection and privacy regulation which the European Commission leaves to each EU member state unlike Europes antitrust regulation, which is centralised.
United Kingdom - Information Commissioners

Office (ICO)

Ireland - Data Protection Commissioner

Future Legalisation

E-Privacy Directive A swift, mandatory disclosure about a data breach

EU Justice Commissioner

They will modernize rules dating from 1995, and could expand to e-banking, online shopping or the personal data field

Conclusion
What do you think? Who do you blame?

What should be done?