Richard Blumenthal Sends Letter to Sony Over PSN Data Theft

April 26, 2011 -

Senator Richard Blumenthal (D-CT) is not happy with Sony's revelation today that user data and credit card information may have been stolen from PlayStation Network users (thanks to gellymatos). He is so unhappy that he has sent a letter to Jack Tretton, President and CEO of Sony Computer Entertainment America. In his letter to SCEA, Blumenthal noted that SCEA failed its customers by not informing them sooner.

"When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised… I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party,"

The full letter can be found below:

Dear Mr. Tretton:

I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.

It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers – many of them children – access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.

When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.

PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.

Sincerely,

/s/

Richard Blumenthal
United States Senate

Source: blumenthal.senate.gov


Comments

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Out of context quote of the day:

"...user data and credit card information may have been stolen from PlayStation Network users (thanks to gellymatos)"

 

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

I am not even sure if I believe Sony's story at this point.

If they are willing to lie (or at least massively distort) information in official court documents, I doubt they would have any ethical issues with explaining the outage in terms of customer records being accessed.

I would not be surprised if it was the dev net => free stuff loophole that was posted a bit before the network went down.. then when they were unable to patch it quickly they came up with an exuse that sounded better then 'well, a small number of people were able to buy on-line content for free'.. since "OMG HACKERS HAVE YOUR DATA" will get more sympathy.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

"OMG HACKERS HAVE YOUR DATA" will get more sympathy.

Hardly.  This is a PR nightmare for Sony, and they're already looking at class action suits.

A simple outage is bad, but a security breach of this magnitude is far, far worse.  Yes, ultimately whoever stole the data is to blame, but Sony is liable if it didn't follow simple best-practice security procedures.

I wouldn't put it past Sony to overreact to a potential hack -- obviously it's already done that in the OtherOS case -- but lying about having its entire subscriber base's personal information potentially accessed would be absurd.

Claiming criminal negligence makes for a pretty poor sympathy play.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

EDIT: Site posted comment in the wrong place.

 

Parallax Abstraction
Ottawa, Ontario, Canada

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

No matter whos side you are on you cannot deny that Sony has dopped the ball in this situation.

http://www.magicinkgaming.com/

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Umm...Sony is a large corporation.  Frankly, I'm impressed they managed to figure out they had a problem, that someone made the decision to take the entire Playstation Network offline, and then turn around and figure out exactly what data was stolen.  You know how hard it is to do all that in a large corporate environment?  Clearly, at this point, it is pretty obvious that PSN has been severely compromised but this letter was uncalled for.  Given the severity of the issue, A five day turnaround response time on this is pretty remarkable.

What Sony needs to do now is hire some real programmers and IT admins who know how to write code defensively and maintain a secure network infrastructure so this sort of breach never happens again.  And they still need to determine for certain whether or not credit card numbers were stolen.  Regardless, the information extracted is still sufficient to steal the identities of most of those people who own a PS3.

- Left4Dead

Why are zombies always eating brains? I want to see zombies that eat toes for a living. Undead-related pun intended.

- Left4Dead Why are zombies always eating brains? I want to see zombies that eat toes for a living. Undead-related pun intended.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

The difficulty of the matter is largely irrelevant, especially when most of the difficulty is caused by corporate culture, rather than an actual technical problem. A company that stores customer data has a responsbility to secure that data and, failing that, inform customers as soon as humanly possible when that data is compromised so that they can take measures to ensure that their losses as a result of the company's failure are minimized.

Sony dropped the ball by failing to properly secure their systems. Now nobody is perfect, and neither is any security, so it does happen. However, they dropped the ball again by taking this long to notify their consumers that their personal information may have been compromised. Any corporate bureaucracy that slowed the notification down is another failure, not a mitigating excuse.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

As it turns out, they didn't find out until yesterday.

 

http://blog.us.playstation.com/2011/04/26/clarifying-a-few-psn-points/

 

"The difference between genius and stupidity is that genius has its limits." -Albert Einstein

"The difference between genius and stupidity is that genius has its limits." -Albert Einstein

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Again, that's nonsense.

They knew there was a security breach and that data had been POTENTIALLY stolen; that's why they shut the network down in the FIRST place.

They waited to come clean to their customers until they were absolutely certain they had to, instead of doing it as soon as they knew there was a threat.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

A standard DBA could've told you what data was accessed within an hour, it's a fairly simple task. And even now the email is full of "MAY HAVE"s, they're either not certain about it or are trying to tone down this PR disaster.

The whole situation is highly unprofessional, and coming from a company as large as Sony, unacceptable. Sony are indefensible over this whole matter.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Having a good laugh at the people claiming to sell their PS3 systems and getting a competitor's device, like it matters now.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

It's not going to get their credit card data un-stolen, but it IS a form of financial retaliation: You didn't treat me right, so you're not getting any more of my money.

It's not a new idea, it's simple free-market economics.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Bet ya 5 bucks this is the guy who hacked the PSN. 

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

If he is, then he's violating the agreement he made with Sony and will probably get himself ruined financially if not jailed. I have little sympathy for GeoHot and whatever good he's convinced himself he's doing for the world but he's not an idiot. That said, Sony's action against him probably inspired whoever is pulling this off.

Parallax Abstraction
Ottawa, Ontario, Canada

Parallax Abstraction
Ottawa, Ontario, Canada

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

"That said, Sony's action against him probably inspired whoever is pulling this off."

Possibly.  Though if it's really about stealing credit card information, no political motivation is necessary.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

He does make some important points. The fact that it has taken Sony so long to realise that data was stolen (or to make it public) is unacceptable and it will be interesting to know at what time the data was stolen after the attacks started. Questions have to be asked as to why only now being told about this.

This is disastrous for Sony and no doubt a massive promotion for Microsoft's Xbox Live. Microsoft being predominately a software firm you would hope that they would handle this situation much better, Sony currently appear to be clueless and for a company of that size it is not good.

Coming from a software firm myself I know that these delays are unacceptable.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Well, it's pick your poison at this point: have all your info possibly stolen or have your console break again and again. Although, Nintendo is more than happy to have you buy another Mario game. :P

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

I've had my 360 since maybe a year before the slim was announced and it hasn't broken once, so that meme is getting old.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

And I've known people who have had theirs RROD half a dozen times.

It isn't old until the problem is fixed once and for all. And that will never happen.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Sorry I didn't realise that just because the RROD hasn't happened to you means it doesn't happen to anyone else.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Once the data's stolen, it's stolen. I can't see how delaying the announcement that data had been stolen makes any difference. And I can't see how having the network down breaks your console, I've been happily playing games offline on my PS3 this week (after my 360 RROD'ed), although of course I could've played Mario Galaxy on my Wii instead. :p

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Really? You can't see what difference it makes to inform someone their credit card information may have been stolen in less than just under a week?

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

They only just found out about the stolen info yesterday.

http://blog.us.playstation.com/2011/04/26/clarifying-a-few-psn-points/

 

"The difference between genius and stupidity is that genius has its limits." -Albert Einstein

"The difference between genius and stupidity is that genius has its limits." -Albert Einstein

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

They only found out FOR SURE that it was stolen yesterday.

They've had reason to SUSPECT it had been stolen for nearly a week.  That's why they shut the service down in the first place.

Re: Richard Blumenthal Sends Letter to Sony Over PSN Data ...

Don't believe it personally. If it took that long to realise that user data may have been taken then they really have no idea how to manage a database or a network and it would be surprising if with that level of ignorance the company was still in existence today.

 
Forgot your password?
Username :
Password :

Shout box

You're not permitted to post shouts.
NeenekoI would hope not. Though it is not unheard of for store specific cards to be pretty good.07/30/2014 - 8:17am
E. Zachary KnightDoes anyone, or at least any intelligent person, expect a retail branded credit card to be anything close to resembling a "good deal" on interest rates?07/30/2014 - 7:13am
SleakerGamestop articles popping up everywhere about their ludicrous new Credit card offerings at a whopping pre-approval for 26.9% APR07/29/2014 - 10:19pm
Matthew Wilsonhttp://arstechnica.com/tech-policy/2014/07/podcasting-patent-troll-we-tried-to-drop-lawsuit-against-adam-carolla/ the podcasting patent troll scum is trying to turn tail and run.07/29/2014 - 9:50pm
MaskedPixelanteOf course it's improved. At launch, Origin was scanning your entire hard drive, but now it's just scanning your browsing history. If that's not an improvement, I dunno what is!07/29/2014 - 8:59pm
Papa Midnighthttp://www.escapistmagazine.com/articles/view/video-games/columns/experienced-points/12029-Has-EAs-Origin-Service-Improved-Any-Over-the-Last-Two-Years07/29/2014 - 8:25pm
Sora-ChanSo it's just a matter of having better emulation software. If it can be done with a 3DS game, with all the memory and what not it takes up, it can be done with a GBA title through emulation.07/29/2014 - 7:30pm
Sora-ChanOther VC titles for the NES and Gameboy had the same setup where you couldn't access the homescreen without quitting out of the game til a later update when those games were released for the public outside of the founder program.07/29/2014 - 7:28pm
Sora-Chanthe 3DS can, and does, run GBA games, as seen by the founder gifts, which included a number of GBA titles. As for running GBA games and still having access to the home screen, I beleive it's more of the game emulation software needs to be updated.07/29/2014 - 7:27pm
Matthew Wilsonthe 3ds already swaps os's with the original ds. plus I dont think people expect miverse interaction when playing a gba game.07/29/2014 - 6:06pm
MaskedPixelanteBut that's not the issue, the 3DS is perfectly capable of emulating GBA games. The problem is that it doesn't have enough available system resources to run it alongside the 3DS OS, and thus it doesn't have access to stuff like Miiverse and save states.07/29/2014 - 5:45pm
Matthew WilsonI am well aware that it requires more power, but if a GBA emulator could run well on a original psp, than it should work on a 3ds.07/29/2014 - 5:36pm
ZenThe reason the SNES could run Gameboy, or the Gamecube could run GBA was because their adapters included all of the necessary hardware to do it in the respective add-ons. The systems were just conduits for control inputs and video/sound/power.07/29/2014 - 4:51pm
ZenMatthew: Emulation takes more power than people realize to run a game properly. You can make something run on less, but Nintendo...as slow as they are at releasing them..makes them run as close to 100% as possible. Each game has its own emulator for it.07/29/2014 - 4:47pm
Matthew Wilsonkind of hard to believe since the 3ds is atleast as powerful as the gamecube hardware wise.07/29/2014 - 4:27pm
MaskedPixelanteYes, the 3DS has enough power to run 16-bit emulators, but not at the same time it's running the 3DS systems themselves. You could run the games, but you wouldn't get save states or Miiverse.07/29/2014 - 4:04pm
InfophileRunning GBA on 3DS shouldn't be hard. The DS had flashcarts sold for it that added just enough power to emulate GBA and SNES games, so the 3DS should have more than enough natively.07/29/2014 - 3:37pm
MaskedPixelanteIt's a bunch of people whining about boycotting/pirating Trails in the Sky FC because XSEED didn't license the Japanese dub track, which consists of about 10 lines per character.07/29/2014 - 11:27am
Sleaker@MP - devolver Digital issued a twitter statement saying they would replace the NISA pledge.07/29/2014 - 10:57am
E. Zachary KnightIs that a discussion about RIAA member music labels?07/29/2014 - 10:48am
 

Be Heard - Contact Your Politician