Skip Tags

Popular Tags

Decorative icon

The Resource Center Online Security Issues & Protection | post

More thoughts on the Sony PlayStation Data Breach

by Neal O'Farrell on

According to a report today in the Wall Street Journal, Sony Corp. said it is unable to say when it can restore partial service to its PlayStation Network online game system, likely adding to pressure from already frustrated customers who have been subjected to stolen personal data as well as missed deadlines for resumption.

The article goes on to say that “the electronics company stuck with its earlier goal of fully restoring the service by the end of the month. But the company said Tuesday that it does not yet have any new deadline for partial resumption, after missing an earlier deadline. Sony said May 1 it aimed to resume some of the PlayStation Network and Qriocity online services within a week.”

With that in mind, we are pleased to welcome back Intersections’ Consumer Security Adviser, Neal O’Farrell to share his additional thoughts on what some people are calling “the most costly data breach in history.”

No sooner had Sony done a major global mea culpa over its massive PlayStation data breach that exposed the personal information of more than 77 million of its customers, it quickly followed with a "mea gulpa" announcement that the completely separate Sony Online Entertainment network also lost more than 25 million additional customer accounts to a breach by hackers.

In an interview with the Christian Science Monitor, Larry Ponemon, founder of the research organization the Ponemon Institute that tracks the cost of data breaches, estimated that this breach alone could represent "the mother of all data breaches" and could end up costing Sony up to $2 billion. He added "In this mobile connected world, everything is connected. Today it's our PlayStation, tomorrow it might be our refrigerator or our washing machine."

Naturally there's been a lot of talk in the past few weeks about this and all the other breaches now announced almost daily. Specifically the conversations have centered on what more we can do to prevent these data breaches in the first place, and if they really make any difference to victims and consumers anyway.

The sad reality is that most businesses are not as scared of data breaches as they used to be. Sure they're an embarrassment, and can end up costing them a lot of money. And they can do a great deal of harm to some businesses, especially in the short term.

But I detect a growing apathy to data breaches amongst consumers — I call it breach fatigue — and I believe that many businesses are sensing this fatigue and as a result are worrying less about the long term damage. It's not unusual when a breach happens for the business involved to batten down the hatches, disappear into the bunkers, and leave their PR teams to deflect any questions or criticisms. After a week or two, the fuss has died down, the storm has passed, and executives can emerge from the bunkers.

We need to prevent this slide into indifference before it becomes the norm, and over the coming days and weeks I'll be sharing some ideas that I think might make a difference.

For example, I think it's time we considered creating a breach classification system. Just like a hurricane or earthquake classification, data breaches could be classified by severity to make it easier for consumers to understand how worried they should be about a particular breach.

For example, the lowest level of breach could be a Category 1 and assigned to a breach that involves only a handful of records and the least dangerous information, like a name. This could increase to a maximum Category 5, like the Sony breach, where millions of records are exposed and the data involved includes the most sensitive, like account information, credit cards, and Social Security numbers.

I think a classification system like this might at least make it easier to communicate to confused consumers just how serious a particular breach is, so they can focus on the most series breaches and not worry so much about the ones that can do them the least harm.

There are obviously challenges to crating a system, like who would assign the classification and how quickly a breach could be classified in a way that could be useful to consumers. But with data breaches now a daily occurrence, we must find ways to stem the apathy.

Has your company experienced a data breach? We can help. Call us at 1-888-283-1725, or visit us online, for information and security solutions.