Sony announced that as a result of a second cyberattack on its PlayStation Network, the personal information of an additional 25 million customers was stolen. So, we thought we’d bring back Intersections Consumer Security Advisor, Neal O’Farrell back for his take on these events. The announcement by Sony yesterday follows revelations last week by the consumer electronics giant that personal information (including credit card data) from more than 70 million customers had been stolen in one of the largest data breaches in history. In today’s post, Neal shares with our readers ten things we can learn from the Sony PlayStation breach.
In case you hadn't heard, Sony recently fell victim to one of the biggest data breaches ever, as its popular PlayStation Network online gaming platform was attacked by hackers. The breach may have exposed the personal information of up to 77 million users, and that data may have included anything from names, addresses, and logins, to billing history and even credit card data.
It's going to take some time for Sony and its security experts to figure out exactly how the attack happened and what information was stolen. But as the accusations and lawsuits begin to fly, I thought it might be interesting to see how much if anything we can all learn from the breach. Here are just a few things that popped into my head:
- As long as there is data there will be data breaches. Crooks are after data, either to sell to other crooks or to turn into cash through phishing, spam, identity theft, scareware, and any of the other dozens of money-making scams. They don't really care where they get data and the harder it is to get at the data, the more resourceful and determined the hackers become.
- The next "biggest data breach ever" is always just around the corner. Successful hacks embolden hackers, and if one group proves they can get away with a massive data heist, other criminal groups will try to out-breach them.
- Any old data will do. It's not just credit card and Social Security numbers that are of value, but even just a name and email address will work. Hackers have become very good at exploiting even the smallest amount of data, so it's never safe to assume that you're safe if all they got was a name or email address. The biggest problem is not security, it is marketing. Data is vulnerable not just because businesses store so much of it, but because it's constantly on the move. If your personal data were stored in a vault and rarely accessed, there would be few data breaches. But once a business has your data, almost everyone in that business wants access to it.
- Marketing departments want to figure out who you are as a consumer, your preferences and buying habits, how much you spend, and when, what websites you visit and how long you stay there and so on. To most marketing departments, your email address is not enough. They don't just want to know who to email to, but why. Hackers, on the other hand, are more than satisfied with just your email address.
- Don't tick off hackers. While Sony is not publicly saying, there have been rumors that the breach was as a result of payback by a hacker group annoyed at Sony over the way it dealt with hackers who tried to steal online gaming accounts. As a consumer, you should never respond to, communicate with, or in any other way develop a dialog with spammers, phishers or anyone else who targets you with a scam. It could unleash even more harm directly at you. Most hackers and scammers remain anonymous, and so should you.
- Never assume that your data is safe just because it's in the hands of a big company. While big companies are supposed to have big security budgets and big security teams, that's not necessarily a good thing. With so much data travelling over so many networks, servers, and databases, a big company simply means more points of entry to guard. And there may be no budget big enough to plug every single security gap.
- Just because breached businesses don't tell you about a breach right away doesn't necessarily mean they're hiding something. If a company were to announce a breach the same hour they detected it, but have not had any time to figure out the nature and extent of the breach, they won't have many answers to give. And then they risk being accused of being evasive.
- Having said that, many companies are still very evasive about the facts of a breach. Don't expect breached companies to be honest and open. Whenever there's a breach, public relations usually take charge, and their goal is to minimize damage and not maximize openness.
- Breach fatigue is setting in. I mentioned this idea in a recent interview I did with BankInfoSecurity.com, and it's a growing concern. The more consumers hear about data breaches, identity theft, and cybercrime, the more inclined they are to tune the headlines out. And that plays perfectly into the hands of both the hackers and the companies they hack.
- Many businesses don't care about breaches as much as they should because they're not as scared of the damages as they used to be. After the massive data breach at the TJ Maxx chain of stores in 2007, experts said it would have a huge impact on store's bottom line. But the bottom line was that in the 12 months after the highly publicized breach, the company's revenues, profits, and share price all ended up.
Has your company experienced a data breach? We can help. Call us at 1-888-283-1725, or visit us online, for information and security solutions.
Keep informed about the latest threats to your safety.