(Sony) Risk assignment final high profile security breach of Sony’s Playstation Network (PSN)

1,393
-1

Published on

This report will explore the high profile security breach of Sony’s Playstation Network (PSN) that led to millions of users’ personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sony’s response.

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,393
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Sony) Risk assignment final high profile security breach of Sony’s Playstation Network (PSN)

  1. 1. IS510 Risk Management & Regulation in e- Commerce: Focus on Sony 27th April 2012 This report will explore the high profile security breach of Sony’s Playstation Network (PSN) that led to millions of users’ personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sony’s response James Dellinger Grainne Malone Jennifer Murphy Ran Zhang
  2. 2. DCU BUSINESS SCHOOL ASSIGNMENT SUBMISSION James Dellinger Grainne MaloneStudent Name(s)Student Number(s): Jennifer Murphy Ran ZhangProgramme: MECB1 - MSc in Electronic Commerce Risk Management & Regulation in e-CommerceProject Title: Assignment: Focus on SonyModule code: IS510Lecturer: Jack NagleProject Due Date: 27-APR-2012DeclarationI the undersigned declare that the project material, which I nowsubmit, is my own work. Any assistance received by way ofborrowing from the work of others has been cited andacknowledged within the work. I make this declaration in theknowledge that a breach of the rules pertaining to projectsubmission may carry serious consequences.I am aware that the project will not be accepted unless this form hasbeen handed in along with the project. Page | 1
  3. 3. Signed:_________________________ _________________________ _________________________ _________________________ Page | 2
  4. 4. TABLE OF CONTENTSDCU Business School Assignment Submission .............................................................. 1Introduction ............................................................................................................................ 4Company Overview ............................................................................................................... 4 PSN Data Collection ........................................................................................................... 4High Profile Data Breach Incident ..................................................................................... 5 Why it happened ................................................................................................................. 5 Sony‟s Immediate Response .............................................................................................. 6 Policies Introduced as a Result ......................................................................................... 7 Any Recent Scandal ............................................................................................................ 7Vulnerabilities in Legislation.............................................................................................. 7Conclusions ............................................................................................................................. 9References/Literature ............................................................................................................ 9 Page | 3
  5. 5. INTRODUCTIONIt is anticipated that global e-commerce revenue will hit $963 billion by 2013, withpredicted growth of 19% annually (Rao, L., 2011). This growth will undoubtedly seemore consumers handing over personal financial data. With frequent high profileonline security breaches jeopardising consumer‟s information, the focus must be onwhat measures companies are taking to secure this data and what legislation existsto place obligations on commercial entities to meet acceptable standards of onlinesecurity.This report will explore the high profile security breach of Sony‟s PlaystationNetwork (PSN) that led to millions of users‟ personal and financial informationbeing exposed. Focus will be placed on what occurred in the aftermath, analysingSony‟s response. An analysis will also be made of the damage if any that was doneto the company‟s‟ corporate reputation, and the measures that have been broughtabout to negate any damage done to the brand‟s reputation and avoid such ascenario arising again.Finally, there will be a discussion as to the role of legislation in defining Sony‟s legalresponsibility with respect to this incident.COMPANY OVERVIEWSony needs little introduction as one of the world‟s leading digital entertainmentbrands, with a large portfolio of multimedia content. A key focus for Sony is itsgaming division, Sony Computer Entertainment, a major video game companyspecializing in a variety of areas in the video game industry which is the focus of thisreport. The PlayStation Network (PSN) is an online multiplayer gamingdigital mediadelivery service, in order to use the service users are required to create an account.PSN DATA COLLECTIONSony collects data from its Playstation Network account holders for the purpose ofbilling. Data collection is as follows: Page | 4
  6. 6. Name Address Country E-mail address Date of Birth PSN password and login nameApart from this profile data, additional information is compiled internally includingpurchase history and billing address, the security question answers to user‟saccounts.HIGH PROFILE DATA BREACH INCIDENTOn 19th April 2011 Sony discovered a security breach in its PlayStation Network(PSN) resulting in a temporary shutdown of service for users. Customers wereunable to download any games or play online. Qriocity, Sony‟s music and videostreaming service was also impacted (O‟Brien, 2011). Hackers had exposed aweakness in the encryption system, obtaining the public key needed to run anysoftware on the machines (Stuart,2011). This breach was one of the most significantever, with 77 million users put at risk of fraudulent activity via credit cards. Thehackers stole users personal information which if sold on through online blackmarkets had a potential worth of £100 million (Arthur and Stuart 2011).WHY IT HAPPENEDThe attack on the Sony PlayStation Network was enabled by the lack of a randomnumber in the algorithm utilised by the security system therein. This ultimatelyallowed the secret key used for the protection of digital content on the system to bediscovered. This was a crucial mistake for Sony to make (Markoff, 2012). Thesecurity practices in place in Sony also left much to be desired. The company failedto protect the networks by using firewalls. Sony was also using Web applications Page | 5
  7. 7. that were obsolete, making the company sites attractive targets for hacking activity.Outdated versions of the Apache Web server were in use and there were no patchesapplied on the PlayStation network. There was no firewall running on thePlayStation network servers (Rashid, 2011).Within the Sony organisation, at board level, there were also problems and failings.There existed organisational complexity and a lack of adequate support for security.It is not known exactly what security measures Sony had in place prior to the breach.However, organisational complacency also played a role in the PlayStation Networkattacks. Security entails more than adequate software and encryption; all aspects ofthe company require involvement; people, processes and technology. (Boyd andThomas, 2011).SONY‟S IMMEDIATE RESPONSEThe response from Sony to the PlayStation Network attack was far from ideal. It tookuntil April 26th, a week after the event, for the company to admit that personalinformation had in fact been stolen and the possibility that credit card informationhad also been taken. It took until day 11 for Sony executives to apologise with theCEO Howard Stringer still remaining publically silent. The lack of clearcommunication, transparency and direction to their customers following the securitybreach was extremely poor. On May 6th an apology from Stringer finally came. Thecompany would offer all their PlayStation network customers free credit for a yearand monitoring for ID theft (Noer 2011).New security measures were implemented by the company. They consulted withsecurity experts to put in place security to strengthen the safeguards to stopunauthorised activity and protect the personal information of their customers. Thesenew security systems put in place included software monitoring, penetration andvulnerability testing. Increased encryption and firewalls were also put in place.Symantec worked with Sony to improve this security and relocate the network toanother data center. The company also recognised the need for improvedmanagement. (Takahashi, 2011). Page | 6
  8. 8. POLICIES INTRODUCED AS A RESULTA few months after the attack, Sony Computer Entertainment has created a newposition – Chief information security Officer (CISO), and appointed a formerMicrosoft executive and the director of the National Cyber Security Center at the USDepartment of Homeland Security Phillip Reitinger to this position, responsible for"security of Sonys information assets and services”. His job is to oversee informationsecurity, privacy and internet safety across the company, coordinating closely withkey headquarters groups and working in partnership with the information securitycommunity to bring the best ideas and approaches to Sony. (Source: Sony Corp. Info)Sony also introduced a line of sentence in their Terms of Service, asking users toagree that not to take legal actions against Sony in court. (Source: Section 15, Termsof Services, Sony Entertainment Network) This was criticised by the public, howeverSony claimed that it was for the benefit of both Sony itself and the customers.ANY RECENT SCANDALEven after Sony has claimed that the level of data protection has increased, it stillremained the target of several security breaches. 1. June 2011: An SQL injection attack by a computer hack group – LulzSec against Sony Pictures disclosed personal information of over 1 million Sony customers. 2. June 2011: Just a few days after the SQL injection attack, the same hack group targeted Sony‟s developer network and posted details of Sony BMG network maps from a New York City office and 54MB of Sony developer source code. 3. October 2011: Brute-force attack broke into 93,000 PlayStation and Sony network accounts. 4. January 2012: attacks agains a several websites operated by Sony for the corporation‟s support of the US Stop Online Piracy Act (SOPA).VULNERABILITIES IN LEGISLATIONEuropean Regulations Page | 7
  9. 9. In Europe, security breaches of this nature fall under data protection and privacyregulation which the European Commission leaves to each EU member state unlikeEurope‟s antitrust regulation, which is centralised. In the aftermath of Sony‟s breach,a number of European countries launched independent investigations The power ofthis centralised approach means that and the European Commission has the powerto issue multibillion euro fines to companies found in breach, which it hassuccessfully done in the past to companies like Microsoft and Intel.In the United Kingdom, the Information Commissioner‟s Office (ICO), which has thepower to fine Sony up to £500,000 if it finds that individuals were „seriouslyaffected‟. However, one year on from the breach a decision on whether Sony will befined will not be due until early May 2012 according to the ICO website.In Ireland, the Data Protection commissioner contacted Sony Ireland and requestedthe company to prepare a full report disclosing the risk posed to its Irish customers.The fact that Irish regulation did not require the data protection commissioner tolaunch an independent investigation (despite the nature of the high profile breach)indicates vulnerability in Irish data protection regulation. Sony was never ordered topay a fine in Ireland and despite investigations in countries including Spain, France,Germany and the Czech Republic, no country has yet to issue a fine.Although, there are European member states that would be unwilling to relinquishcontrol of their data protection regulations, it must be highlighted that the lack ofcentralisation means that serious security breaches involving consumer data areoccurring without any damaging financial penalties being imposed on the company.With little implications or consequences in place for breaches of this magnitude, itcould be argued that as a result there is also little motivation for companies to investheavily in security and policies that would protect their consumer data.This breach ignited new discussions in Europe regarding the extension ofcurrent data protection laws beyond the telecommunications industry. These laws,known as the E-Privacy Directive, currently affect the telecommunication industryand require telecom networks in the EU to make a swift, mandatory disclosure about Page | 8
  10. 10. a data breach. If the proposed extension to the directive is made, MatthewNewman,a spokesman for the EU Justice Commissioner was quoted as saying „theywill modernize rules dating from 1995, and could expand to e-banking, onlineshopping or the personal data field‟CONCLUSIONSThe Sony case has taught different people many lessons. For our interest in risksand how they relate to consumer information and data breaches this remains is animportant case to study. The terms of a companies duty to disclose has been moreclosely scrunitized by regulators worldwide given the large fraud related concerns.This was primarily due to Sony‟s poor response to inquiries during the crisis. Morelenient legal contructs (like California‟s) regarding obligations to inform customersand clients of data breaches have become more noticably in of reform for consumerand fraud pertection. However, what is actually changes at the American federaland European intergovermental level are still up in the air.REFERENCES/LITERATUREArthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major dataleak [Online]. Available from:http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-data-leak?INTCMP=ILCNETTXT3487 [Accessed April 2012].Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach[Online].Available from:http://venturebeat.com/2011/09/22/security-lessons-from-the-playstation-network-breach/[Accessed April 2012].Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from:http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?pagewanted=all [Accessed April 2012].Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Availablefrom:http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4-838c-4cfd-b915- Page | 9
  11. 11. 9a6091edff44%40sessionmgr14&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#db=bth&AN=65258326 [Accessed April 2012].O’Brien, C. 2011. Sony’s PlayStation network hacked [Online]. Available from:http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April2012].Rao, Lenna, 2011 “J.P. Morgan: Global E-Commerce Revenue To Grow By 19 PercentIn 2011 To $680B” TechCrunch[Online]http://techcrunch.com/2011/01/03/j-p-morgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony[Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].Stuart, K. 2011. PlayStation 3 hack – how it happened and what it means [Online]. Availablefrom: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hack-ps3?intcmp=239 [Accessed April 2012].Takahashi, D. 2011. Will PlayStation Network’s improved security be good enough?[Online]. Available from:http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-be-good-enough/ [Accessed April 2012].Sony‟s Response to the U.S. House of Representatives, 04 May, 2011, Posted byPatrick Seybold – Sr. Director, Corporate Communications & Social Media,PlayStation Blog, URL: http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/Philip R. Reitinger is Named Senior Vice President and Chief Inofmation SecurityOfficer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL:http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.htmlTerms of Service, Sony Entertainment Network, URL:www.sonyentertainmentnetwork.com/terms-of-service/ Page | 10

×