Sony Playing with PI (Personal Information)

In yet another stunning data security breach, Sony announced that 77 Million customer records had been hacked on its Playstation network and Qriocity.  The information accessed by hackers reportedly includes names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and credit cards. 

On April 26th Sony published on its blog that the breach took place between April 17th and 19th. It said in part:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Clearly, the combination of a name and credit card information meets the definition of Personal Information (PI) under the Massachusetts data security regulations, 201 CMR 17.00.  In an interesting twist to the story, by April 28th major news outlets were reporting that Sony had encrypted the credit card data. 

More and more of us are receiving notices from our banks, merchants, and service providers that, “Oops we lost or failed to protect important financial and other information about you”  Sony’s notice follows the typical businesslike format of warning the victims of the breach to be careful and take their own steps to protect their Personal Information:

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742;; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285;; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289;; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Within one day of the announcement, a Playstation users from Florida had filed a class action lawsuit against Sony in the Northern California Federal District Court.  Stay tuned.

This entry was posted in Information Security and tagged , , . Bookmark the permalink.

Comments are closed.