< An Unprecedented Data Breach


Friday, April 29, 2011

On April 20th, the PlayStation Network, the online service that allows PlayStation owners to play games online, purchase content and stream movies and audio, suddenly went dark. On April 22nd, Sony, the company behind PlayStation, issued a statement explaining that the outage was due to a, quote, “external intrusion by hackers.” Gaming and tech blogs took notice but the story was largely ignored by the mainstream press, at least, that is, until this past Tuesday when in a blog post Sony told its 77 million worldwide PlayStation Network customers that because of the attack on its network, their names, birthdates, home addresses, email addresses and credit card data could be at risk. Additionally, the PlayStation Network, a core component of the PlayStation’s functionality, remains offline, with Sony saying it is hoping that it will be back up by Tuesday, May 3rd, almost two weeks after the initial attack. Nick Bilton, lead technology writer for the Bits Blog at The New York Times, says this is just the latest and by far the largest in a growing trend of personal information making its way out of online entities that we trust and into the hands of, well, who knows? Nick, welcome back to the show.

NICK BILTON: Thanks for having me on.

BOB GARFIELD: Let's talk about what’s at stake here. Having your credit card in the hands of some hacker is one obvious one. Another is passwords. Has that number of passwords ever fallen into the wrong hands before?

NICK BILTON: Well, there’s been a number of recent cases of hackers gaining access to companies and servers, and so on. Last month there was Epsilon, which is a marketing company, which stores hundreds of millions of email addresses and in some instances passwords and so on, that was breached and the hackers got a hold of all of this information. A couple of months ago the AT&T servers had a problem when someone gained access to the iPads and figured out people’s email addresses and, and a number that identifies the iPad. But this is the first time that something this huge has happened to Sony or a company similar to this, where they’ve actually said that passwords and email addresses and addresses, and so on, were taken.

BOB GARFIELD: Do you know who the suspects are in this episode?

NICK BILTON: We really don't. I've written a lot about hackers in the past for The Times, and there’s several groups of hackers. There’s a, there’s a group called Black Hats, which are essentially people that are really taking people’s personal information and using them to make money. And then there’s a group called the White Hats, and they are the ones that try to stop these “villains,” quote, unquote, and really try to help people protect their networks. But what’s happened over the past couple of years is there’s a group in the middle called Gray Hats, and they are essentially just out to cause trouble. And they're people that will bring down a website or they will steal passwords and throw them in the garbage or whatever it is that they want to do to infiltrate a company. We don't know if the motives behind this hacking with PlayStation was people that were actually trying to make money on these credit cards, and so on, or if it was people that were just trying to bring the network down because they don't like the company.

BOB GARFIELD: It took Sony almost a week before it informed the world of the scale and the scope of the breach. Why so long? Do you have any idea?

NICK BILTON: It’s a really interesting question, and it’s a problem that we've seen happen over and over. Part of this is that there’s no federal law that says these companies have to divulge information straightaway. There are state laws that say that they have up to a week to notify customers when their personal information is taken. Sony says that it took them seven days to respond because they didn't really know the extent of what had happened. There are a lot of people that say, hey, you probably knew immediately that the network had been infiltrated and you had a responsibility to let consumers know straightaway. As these cases keep coming up more and more, I think we're going to have to see some kind of federal law that is put into place that actually changes the policies, so people know straightaway if their credit card information or their home address has been taken.

BOB GARFIELD: So what happens next?

NICK BILTON: Sony is working with the FBI in San Diego, the Cyber Crimes Division, to try to determine who it was that got into the system. They're also working with some outside security companies to try to fix the problem and get it back online as soon as possible. A lot of people are now looking on these underground networks where credit card information and personal identification information is, is sold between hackers.

BOB GARFIELD: I have to say I'm stunned that the passwords in the system at Sony were not encrypted to protect against this very sort of breach. Do you foresee much more stringent regulations about how companies must treat personal information within their own servers?

NICK BILTON: Oh, without a doubt. I mean, I think that right now there are no repercussions for these companies so, you know, Sony will probably get sued by some customers and they'll settle out of court and - but other than that, no one’s going to get in any kind of trouble. And I think that that has to change. Every week there’s a new story in the media that talks about a website that was hacked or people’s passwords that were taken, as we divulge more and more information to sites in exchange for use of them. There’s a bill going forward right now from Senator Kerry and Senator McCain that’s called the Privacy Act, and that is really trying to give people the option to be on a Do Not Track list and to have more control over their content on social media websites. But it really does not include anything about location tracking or the kind of password breaches or security breaches that take place on these companies on a regular basis.

BOB GARFIELD: All right, Nick. Thank you very much.

NICK BILTON: Thank you.

BOB GARFIELD: Nick Bilton writes for the Bits Blog at The New York Times.