Ontario woman sues Sony over data breach

  • Article

2011 is turning into the year of the security breach. We can’t go two weeks without an organization revealing that hackers broke in and stole data.  As if things couldn’t get any worse for Sony, breach twice in a span of less than two weeks, users whose data they were supposed to protect are adding insult to injury.  From CBC.ca:

A proposed class action lawsuit has been filed in Ontario on behalf of about one million Canadian PlayStation and Qriocity users.   Sony Corp. said Monday that hackers may have taken personal information from more than 100 million user accounts worldwide in recent PlayStation Network breaches.

Sony has acknowledged that the information may include users' names, addresses, birth dates, passwords and billing information.  The Toronto law firm McPhadden Samac Tuovi is proposing the class action suit against Sony Japan, Sony USA, Sony Canada and other Sony entities for breach of privacy.

The lawsuit claims damages in excess of $1 billion, which includes having Sony pay the costs of credit monitoring services and fraud insurance coverage for two years.  The representative plaintiff in the action, which contains allegations that haven't been proven in court, is Natasha Maksimovic, 21, of Mississauga, Ont.  "If you can't trust a huge multinational corporation like Sony to protect your private information, who can you trust?" Maksimovic asked Tuesday in a release.

The statement of claim filed Tuesday says Maksimovic signed up for the PlayStation Network and Qriocity, as required by Sony, to use her PlayStation Portable and Sony E-book reader.  Sony "failed to adequately safeguard certain personal information, financial data and usage data," the statement alleges.

I remember back in the late 1990’s while I was still in university (that’s “college” for my American readers and “uni” for my British ones), I took a course in Law.  It was one of my favorite courses.  The first two days of class were on patent law, the last 2/3 of the class was on the environment and how humanity is ruining it, but the part squeezed in between was on legal liability – civil law. That was one of my favorite sections of my entire time in university (I used to want to be a lawyer in high school but switched to engineering).  Civil law does not deal in guilt or innocence like criminal law, but instead deals with the issue of liability.  Was Sony negligent in this case?

It’s a good question.  Are banks liable for the money they lose when they are held up by bank robbers?  That is a case where they lost customer assets.  Most banks are insured, and I am not a lawyer but the answer to this question is… I don’t know.  Probably not.

Was Sony negligent in this case?  They were allgedly the victims of a sophisticated cyber attack by a group of hackers calling themselves Anonymous.  This is the same group that allegedly conducted DDOS attacks against some financial institutions during the Wikileaks exposure in late 2010 (note: Anonymous originally denied the attack but according to PC Magazine, they may be responsible).  Were Sony’s defenses reasonable or could any ham-and-egger hacker have gotten through?  The literature that I have read indicates that the hackers exploited some obscure(ish) security vulnerabilities in their software.  The question is whether or not Sony should have known about these vulnerabilities and had them patched.

Even if they weren’t patched, was Sony negligent in protecting their customer’s data?  According to the lawsuit, the hackers grabbed the user names, addresses, birth dates, passwords, and billing information.  Some of this data should have been encrypted.  Which set of data?

Microsoft has guidelines around which data needs to be protected by classifying it into three different categories – High Business Impact (HBI), Medium Business Impact (MBI) and Low Business Impact (LBI):

  • HBI – Authentication and authorization credentials, government provisioned ID (Social Security or driver’s licenses), financial profiles (credit reports), medical profiles (medical records or biometric information).  HBI must be encrypted while in transit and while stored and not in use.

  • MBI – Personally identifiable information that is not as sensitive as HBI.  Examples are an individual’s race, ethnic origin, political orientation, physical health.  This also includes contact information such as a name, address, email address, fax, etc.  MBI must be encrypted while in transit.  It does not have to be encrypted while stored and not in use. Encryption must be at least 128 bit.

  • LBI – These are typically intended to be widely published information like web pages, public cryptographic keys, and press releases.  LBI does not need to be encrypted.

These are Microsoft’s guidelines and I can’t speak for Sony, but if Sony had something similar then we can use it to analyze the original lawsuit complaint.  According to FoxNews, here’s what Sony lost:

Hackers may have obtained users' names, home addresses, email addresses, birthdates, PlayStation Network usernames and passwords, and answers to password security questions, according to the blog post.

There was no evidence that credit card information had been compromised, but Sony said it "cannot rule out the possibility" that hackers could access such information.

Using the guidelines that Microsoft has, here’s what Sony lost:

  • HBI – Playstation Network usernames and passwords.  If credit cards were lost, then it goes here.
  • MBI – users’ names, home addresses, email addresses, birthdates, and answers to security questions (debate-able but I place it here).
  • LBI – none.

If Sony did not have the HBI above encrypted, then shame on them.  Sensitive information like that needs to be encrypted (according to PC Magazine, credit card companies had not reported any fraudulent charges related to the hack).  However, Sony has not commented either way whether or not the data was encrypted, therefore I withhold my “shame on them” comment.  It seems like a company as big as Sony who has been doing consumer electronics for years would know about this sort of thing.

The problem is that even if Sony had them encrypted, it is not a guaranteed protection against theft.  Earlier this year, hackers hit RSA with a cyber attack and compromised the company’s algorithm and seed that generates random tokens.  If a hacker stole encrypted data, the algorithm for encryption and the seed, then they could easily decrypt the information and steal it.

And that brings us back to the question of whether or not Sony was negligent in this case.  I only can offer my opinion on this matter, I am not a legal expert nor have I have ever been asked to testify in a case like this.  But:

  • If Sony had the sensitive information encrypted, and
  • Made sure that their software had all the known patches, and
  • Practiced proper security policies with their employees,

… then it would be difficult to make the case that they were negligent in protecting their customers’ data.