Case Study - Sony PlayStation Network hack and theft of 70 million customer records

Case study: PlayStation Network Hack

          "In April 2011, Sony revealed that the PlayStation Network, used by millions of consumers worldwide, had been breached by hackers. The breach went unnoticed by Sony for several days and ultimately resulted in the theft of up to 70 million customer records. The records included customer names, addresses, emails, dates of birth and account password details. Information which could have enabled additional attacks or identity theft.
In order to assess the scale of the damage and repair the vulnerabilities that led to the attack Sony took the PlayStation Network offline, a move which cost the company, and merchants who offered services via the network, significant amounts of revenue.
In addition to the cost of fixing the breach, Sony was fined £250,000 by the Information Commissioner’s Office as a result of a ‘serious breach’ of the Data Protection Act, stating that ‘The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.’
The precise financial cost to Sony is unclear but estimates place it at approximately £105 million, excluding the revenue loss by partner companies, damage to its reputation and potential damage to its customers."
           So how do the principles of CIA apply to the PlayStation case? Quite obviously, confidentiality was violated: there was a chance that unauthorised people could read the data. However, authorized users still had full access to the data, so it remained available; and the data was not changed, so its integrity was preserved.

          The Sony Play Station Network (PSN) hack highlights the grave threat faced by individuals and organisations from malware and  online hackers . In Sony's case this attack on the PSN led to a breach of Confidentiality as personal data of millions of customers was leaked. The data leaked include names, birthdays, email addresses, passwords, security questions, and maybe credit card details. This could also lead to identity theft because of the type of data leaked. Integrity could have been affected if the hackers changed passwords and other data of users. There were reports that Sony discovered an exploit which allowed users to reset other users passwords which is clearly a case of breach of Integrity. The biggest setback to Sony was affect on Availability  as the PSN had to be taken offline to secure and recover from the breech.  Despite Sony having been fined a hefty sum of money due to its poor security mechanisms it did not learn much from the attack as the PSN network was again hacked in 2014. Despite the knowledge that such threats pose to privacy and data security organisations continue to be lax about security.
  
         As we move to digitised world such attacks will continue to take place and we need not assume that big organisations are prepared to ensure the security of data. Basic measures like keeping different passwords for different services and not sharing credit card info is required to be taken by all of us. Similarly government need to be more strict with companies and penalise them severely for such breeches. Also the requirement of sharing credit card details by companies like Apple and Sony should be removed. It is imperative that we learn from these mistakes to have a safer digital world. 

Sources
https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage
http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/
www.futurelearn.com/courses/introduction-to-cyber-security/ - The case study is part of course on Cyber Security at Future learn.




Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more