After admitting that the personal details of the 42m+ PlayStation Network users have been leaked, Sony has argued that it couldn’t warn subscribers of potential data loss when the system was first taken down because it took “outside experts” to confirm it. According to Nick Caplin, SCEE’s head of comms, the delay involved in “forensic analysis” explains why it took the company so long to warn users that their information had been compromised.
“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion 19th April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening.” Nick Caplin, Head of Communications, SCEE
Users themselves, unsurprisingly, aren’t particularly impressed with Caplin’s reasoning. They suggest that Sony was negligent in not flagging up even a potential suspicion of a data breach from the start, which would at least have given them a chance to change their passwords, cancel credit cards and take other steps to minimize the impact.
Of course, doing that would be a worst-case scenario for Sony, since it’s possible that users might not subsequently return to the PSN; as with Apple and iTunes, Sony values its database of users each with credit cards attached to their accounts. The potential backlash of advising cancellations should the database not, in fact, have turned out to be compromised could also have been significant.
Nonetheless, the information is loose, and Sony can’t – or won’t – commit to when the either the PSN or Qriocity streaming services will be back online. According to the FAQ, there is “a clear path to have PlayStation Network and Qriocity systems back online” and Sony does “expect to restore some services within a week.” Nonetheless, Sony also warns that it “will keep the service down to allow us to conduct a thorough investigation to ensure smooth operation of our network services when they return.”
What personally identifying information do you suspect has been compromised?
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information provided by PlayStation Network/Qriocity account holders: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password, login, and handle/PSN online ID. Other profile data may also have been obtained, including purchase history and billing address (city, state, zip). If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained. If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may also have been obtained.