It's been nearly one week since the PlayStation Network servers were taken down due to an "external intrusion," and nearly one day since we learned PSN users' personal information was stolen during said intrusion. We're still not quite sure of the full scope of the security breach, but the latest update from Sony paints a fairly upsetting picture: Gamers' personal (and, possibly, financial) data has been exposed on a scale more massive than the gaming industry has ever seen.
To help get a grasp on the situation, we spoke with consumer advocates and tech industry figures about what gamers can expect in the aftermath of this security breach. For instance: What financial or legal repercussions might Sony be facing in the coming months? And what can PSN users do to protect themselves from potential identity theft?
A History of Breaches
This certainly isn't the first (and, troublingly, not the last) time consumers' private data will be comprised. In recent years, security breaches have sparked discussions about digital privacy in the hopes of outfitting corporations with technology that can effectively defend against malicious attacks. Obviously, we're not quite there yet.
"If you're using the same password for PSN that you're using for your Gmail account or Facebook, there's countless ways for people to access your personal information."- Chris Morran, The Consumerist
Without knowing the full extent of how much information was stolen from Sony's database, it's hard to draw comparisons between this bean-spilling and those of the past. Chris Morran, senior editor for consumer advocacy news blog The Consumerist, provided a few examples of how much hot water Sony and, as a result, every PSN user could be in.
"This could be as semi innocuous as the big Epsilon leak that happened a few months ago," Morran said, "where no real information other than email addresses and names got out there. That's annoying, because you're going to have spam, but you can't do much in terms of ID theft with that."
"Or it could be like the Gawker Media hack from last year, where someone hacked the entire Gawker Media user base, for all of its sites, and leaked via BitTorrent the entire database of usernames and passwords," Morran continued. "Now, if you were smart and used unique usernames and passwords for all your sites, then you're fine, but if you were using the same login for your bank account, or for PayPal, you could be out a lot of money."
As far as the worst-case scenario, Morran added, "It could be as bad as Albert Gonzalez, a hacker who lived in Miami who led a trio of hackers, who stole $130 million worth of credit card information from various places [...] which was incredibly nasty."
The Next Step
Though we're still not sure exactly how much information was accessed through the unscrupulous attack on PSN, we do know that each user's "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" have been obtained, according to Sony. Throw in the possibility of your credit or debit card information having been stolen, too, and that's an intimidating pile of your vulnerable data in the hands of someone else. So how do you protect yourself from getting, well, straight-up robbed?
"The setup is perfect for a class-action: a large group of people who've all signed the same contract and (theoretically) all suffered the same harm."- Nilay Patel, former copyright attorney
"The first thing you need to do is check your credit report," Morran suggested. "Once a year, you can check all three bureaus reports for free on AnnualCreditReport.com. I would do that now, and I would immediately check your bank and credit card statements online."
"If you're truly concerned, and you don't have a ton of things tied to your PSN credit card, you may -- I'm not advising people definitely do this -- but you may want to consider putting a hold on that credit card," he added. "If it's not the credit card you use to pay your electric bill, if you want to put a hold on it for a few days until Sony tells us for sure if that information has been leaked [or not], it's not a bad idea."
If you were using a debit card as your primary PlayStation Store wallet-stuffer, you've got a difficult decision to make. "Right now, given what little information we have, you have to calculate the risk for yourself," Morran explained. "Is the hassle of getting a new card and changing all of my automated payments tied to that card worth it for me to feel completely secure? For some people, it's going to be a definite 'yes.' For some, it might not be worth the hassle."
Of course, the first thing you should do is hopefully something you've done already: Change your passwords. "If you're using the same password for PSN that you're using for your Gmail account or Facebook, there's countless ways for people to access your personal information," Morran warned. "The first thing I'd want to do is make sure I'm not using a common password, especially if it's the same password I use on the PSN."
It's been almost one week since Sony's online storefront and multiplayer network was shut down indefinitely -- a fact that's taken a fairly immediate toll on both PSN developers and players alike. But what are the ramifications for Sony? What issues is the tech giant going to face in the aftermath of the outage and security breach?
Entertainment Consumers Association president Hal Halpin addressed one issue that's been on the minds of certain jilted PSN users: whether Sony owes players compensation for the inconvenience.
"I can appreciate the sentiment that many consumers are vocalizing: concern over the general lack of information available about the outage and the expected down time, as well as the anxiety regarding security and privacy breaches," Halpin said. "On the other hand, I'm not sure that I agree with those that are demanding compensation due to PSN being unavailable. Unlike Xbox Live, a paid subscription service, PSN is a free benefit of PS3 ownership, provided as a service."
"I truly don't think they will lose many customers over this."- Michael Pachter, Wedbush Securities
"One could make the argument that the consumer purchased their PS3 because it came with that free benefit, but to go so far as to expect compensation when it's not immediately available is -- to me at least -- a stretch," Halpin added. "The feedback that we're getting from ECA members is consistent with what others in the community are stating, which is primarily focused on the issue of private data lost and the growing impatience people are feeling because we know so little about the situation."
Sony may or may not feel compelled to provide all users with a fungible apology gift, though we'd expect some kind of compensation offered to PlayStation Plus subscribers. Still, any action is unlikely to prevent some users, paying or not, from pursuing compensatory damages in court. Nilay Patel, ThisIsMyNext editor and former copyright attorney, thinks this infraction is the perfect recipe for litigation.
"It's hard to know how much legal trouble Sony could be in without knowing the exact amount of personal data that was compromised, but it's almost certain that one or more class-action lawsuits will be filed in the week or so in an attempt to find out," Patel said. "The setup is perfect for a class-action: a large group of people who've all signed the same contract and (theoretically) all suffered the same harm."
What about further down the line? What kind of impact will this collective loss of trust have on Sony and the size of its consumer base? According to Wedbush Securities analyst Michael Pachter, the security blunder and outage are going to cost Sony some major bucks -- but not in the form of any significant lost business with the gaming community.
"It's hard to gauge how many customers will defect because of this, but my guess is not very many," Pachter said. "This is a huge inconvenience, but most customers won't lose any money, since the credit card laws protect consumers against fraud. So the real cost is the loss of access and the headache of having to check your account to be sure there is no fraud."
"That means that Sony's cost is lost revenues for a couple of weeks (probably $20 million or so, which means around $6 million of lost profit), the cost of reimbursing PS plus members (another $10 million or so), and whatever PR costs Sony incurs to make everybody feel good," Pachter surmised. "They can give away some free downloads and generate a lot of good will. Of course, they absolutely must tighten security and ensure that this doesn't happen again, and I'm not competent to tell you what that will cost."
"I truly don't think they will lose many customers over this," Pachter concluded.
In the weeks ahead, we're sure to learn more about the nature of the security breach, the extent of the information theft, and just what Sony plans to do to help those affected and protect its customers in the future. For now, we're left to hope for the best -- and, of course, change every password we've ever used.