Focus on Sony: The PlayStation Network Security Breach
Overview
Focus on Sony
What data do they Collect?
High Profile Breach – What Happened and Why?
The Aftermath
Response Policies Introduced as a Result What has Happened Since? Vulnerabilities in Legalisation
Sony’s
Sony
World’s leading digital entertainment brands, with a large
portfolio of multimedia content.
Sony Computer Entertainment The PlayStatio
How to Add a many2many Relational Field in Odoo 17
Risk presentation Sony 2012 The PlayStation Network Security Breach
1. Focus on Sony:
The PlayStation Network
Security Breach
IS510
JAMES DELLINGER
GRAINNE MALONE
JENNIFER MURPHY
RAN ZHANG
2. Overview
Focus on Sony
What data do they Collect?
High Profile Breach – What Happened and Why?
The Aftermath
Sony’s Response
Policies Introduced as a Result
What has Happened Since?
Vulnerabilities in Legalisation
3. Sony
World’s leading digital entertainment brands, with a large
portfolio of multimedia content.
Sony Computer Entertainment
The PlayStation
Network (PSN)
4. PSN Data Collection
Name
Address
Country
E-mail address
Date of Birth
PSN password and login name
Credit Card Details
Purchase History
Answers to Users Security Questions
5. What Happened?
Security Breach in PlayStation Network
Shutdown of service
77 million users put at risk
Personal information stolen
6. Security Issues
Weak security system
Lack of random number in algorithm
Lack of Firewalls
Obsolete web applications
Lack of Management support
7. Response from Sony ?
Very slow reaction time
Poor communication
Lack of transparency
Lack of direction
9. Creation of a New Position - CISO
“ to oversee information
security, privacy and internet
safety across the company,
coordinating closely with key
headquarters groups and
working in partnership with
the information security
community to bring the best
ideas and approaches to
Sony.”
– Sony Corporation
10. Number of Actions Taken
Moved PSN server to a new, more secure and unnamed
location
Enhanced levels of data protection and encryption
Enhanced ability to detect software intrusions,
unauthorized access and unusual activity patterns
Additional firewalls
Established a new data center in an undisclosed
location with increased security
11. Changes of Terms of Service
September 2011 - No Suing Policy!
“ Other than those matters listed in the Exclusions from
Arbitration clause, you and the Sony Entity that you have a
Dispute with agree to seek resolution of the Dispute only
through arbitration of that Dispute in accordance with the
terms of this Section 15, and not litigate any Dispute in
court. Arbitration means that the Dispute will be resolved by
a neutral arbitrator instead of in a court by a judge or jury.”
- Section 15, Terms of Service, Sony Entertainment Network
13. Ahhhhhh Not Again!!!
June 2011 - SQL injection attack against Sony
Pictures disclosed personal information of over 1
million Sony customers
June 2011 – an attack against Sony’s Developer
Network posted 54MB of Sony developer source code.
October 2011 – Brute-force attack broken into
93,000 PlayStation and Sony network accounts
January 2012 – attack against a several websites
operated by Sony for the corporation’s support of the
US Stop Online Piracy Act (SOPA).
14. Issues with Legislation
Security breaches of this nature fall under data
protection and privacy regulation which the
European Commission leaves to each EU member
state unlike Europe’s antitrust regulation, which is
centralised.
United Kingdom - Information Commissioner’s
Office (ICO)
Ireland - Data Protection Commissioner
15. Future Legalisation
E-Privacy Directive
Aswift, mandatory disclosure about a data breach
EU Justice Commissioner
‘They will modernize rules dating from 1995, and
could expand to e-banking, online shopping or the
personal data field’