IS510

JAMES DELLINGERGRAINNE MALONEJENNIFER MURPHYRAN ZHANG

Focus on Sony:The PlayStation Network

Security Breach

Overview

Focus on SonyWhat data do they Collect?High Profile Breach – What Happened and

Why?The Aftermath

Sony’s ResponsePolicies Introduced as a ResultWhat has Happened Since?

Vulnerabilities in Legalisation

Sony

World’s leading digital entertainment brands, with a large portfolio of multimedia content.

Sony Computer Entertainment

The PlayStation Network (PSN)

PSN Data Collection

NameAddressCountryE-mail addressDate of BirthPSN password and login nameCredit Card DetailsPurchase HistoryAnswers to Users Security Questions

What Happened?

Security Breach in PlayStation Network

Shutdown of service

77 million users put at risk

Personal information stolen

Security Issues

Weak security system

Lack of random number in algorithm

Lack of Firewalls

Obsolete web applications

Lack of Management support

Response from Sony ?

Very slow reaction time

Poor communication

Lack of transparency

Lack of direction

Measures Introduced

Software monitoring

Penetration and Vulnerability testing

Encryption

Firewalls

Security personnel

Creation of a New Position - CISO

“ to oversee information

security, privacy and internet safety across the company, coordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to

Sony.” – Sony Corporation

Number of Actions Taken

Moved PSN server to a new, more secure and

unnamed location

Enhanced levels of data protection and encryption

Enhanced ability to detect software intrusions,

unauthorized access and unusual activity patterns

Additional firewalls

Established a new data center in an undisclosed

location with increased security

Changes of Terms of Service

September 2011 - No Suing Policy!

“ Other than those matters listed in the Exclusions from Arbitration clause, you and the Sony Entity that you have a Dispute with agree to seek resolution of the Dispute only through arbitration of that Dispute in accordance with the terms of this Section 15, and not litigate any Dispute in court. Arbitration means that the Dispute will be resolved by a neutral arbitrator instead of in a court by a judge or jury.”

- Section 15, Terms of Service, Sony Entertainment Network

Recent Scandal ?

Ahhhhhh Not Again!!!

June 2011 - SQL injection attack against Sony Pictures disclosed personal information of over 1 million Sony customers

June 2011 – an attack against Sony’s Developer Network posted 54MB of Sony developer source code.

October 2011 – Brute-force attack broken into 93,000 PlayStation and Sony network accounts

January 2012 – attack against a several websites operated by Sony for the corporation’s support of the US Stop Online Piracy Act (SOPA).

Issues with Legislation

Security breaches of this nature fall under data protection and privacy regulation which the European Commission leaves to each EU

member state unlike Europe’s antitrust regulation, which is centralised.

United Kingdom - Information Commissioner’s Office (ICO)

Ireland - Data Protection Commissioner

Future Legalisation

E-Privacy Directive A swift, mandatory disclosure about a data breach

EU Justice Commissioner ‘They will modernize rules dating from 1995, and could expand to e-banking, online shopping or the personal data field’

Conclusion

What do you think? Who do you blame? What should be done?