Risk Management & Regulation in e-Commerce:Focus on Sony27th April 2012

IS510

DCU BUSINESS SCHOOL

ASSIGNMENT SUBMISSION

Student Name(s)

Student Number(s):

James Dellinger

Grainne Malone

Jennifer Murphy

Ran Zhang

Programme: MECB1 - MSc in Electronic Commerce

Project Title:Risk Management & Regulation in e-Commerce

Assignment: Focus on Sony

Module code: IS510

Lecturer: Jack Nagle

Project Due Date: 27-APR-2012

Declaration

I the undersigned declare that the project material, which I now submit, is my own work. Any assistance received by way of borrowing from the work of others has been cited and acknowledged within the work. I make this declaration in the knowledge that a breach of the rules pertaining to project submission may carry serious consequences.

I am aware that the project will not be accepted unless this form has been handed in along with the project.

Page | 1

Signed:_________________________ _________________________ _________________________ _________________________

Page | 2

TABLE OF CONTENTS

DCU Business School Assignment Submission...................................1

Introduction..............................................................................................4

Company Overview..................................................................................4

PSN Data Collection..................................................................................4

High Profile Data Breach Incident.........................................................5

Why it happened......................................................................................5

Sony’s Immediate Response....................................................................6

Policies Introduced as a Result.................................................................7

Any Recent Scandal.................................................................................7

Vulnerabilities in Legislation.................................................................8

Conclusions...............................................................................................9

References/Literature.............................................................................9

Page | 3

INTRODUCTION

It is anticipated that global e-commerce revenue will hit $963 billion by

2013, with predicted growth of 19% annually (Rao, L., 2011). This growth

will undoubtedly see more consumers handing over personal financial

data. With frequent high profile online security breaches jeopardising

consumer’s information, the focus must be on what measures companies

are taking to secure this data and what legislation exists to place

obligations on commercial entities to meet acceptable standards of online

security.

This report will explore the high profile security breach of Sony’s

Playstation Network (PSN) that led to millions of users’ personal and

financial information being exposed. Focus will be placed on what

occurred in the aftermath, analysing Sony’s response. An analysis will also

be made of the damage if any that was done to the company’s’ corporate

reputation, and the measures that have been brought about to negate

any damage done to the brand’s reputation and avoid such a scenario

arising again.

Finally, there will be a discussion as to the role of legislation in defining

Sony’s legal responsibility with respect to this incident.

COMPANY OVERVIEW

Sony needs little introduction as one of the world’s leading digital

entertainment brands, with a large portfolio of multimedia content. A key

focus for Sony is its gaming division, Sony Computer Entertainment, a

major video game company specializing in a variety of areas in the video

game industry which is the focus of this report. The PlayStation Network

(PSN) is an online multiplayer gaming digital media delivery service, in

order to use the service users are required to create an account.

PSN DATA COLLECTION

Page | 4

Sony collects data from its Playstation Network account holders for the

purpose of billing. Data collection is as follows:

Name

Address

Country

E-mail address

Date of Birth

PSN password and login name

Apart from this profile data, additional information is compiled internally

including purchase history and billing address, the security question

answers to user’s accounts.

HIGH PROFILE DATA BREACH INCIDENT

On 19th April 2011 Sony discovered a security breach in its PlayStation

Network (PSN) resulting in a temporary shutdown of service for users.

Customers were unable to download any games or play online. Qriocity,

Sony’s music and video streaming service was also impacted (O’Brien,

2011). Hackers had exposed a weakness in the encryption system,

obtaining the public key needed to run any software on the machines

(Stuart, 2011). This breach was one of the most significant ever, with 77

million users put at risk of fraudulent activity via credit cards. The hackers

stole users personal information which if sold on through online black

markets had a potential worth of £100 million (Arthur and Stuart 2011).

WHY IT HAPPENED

The attack on the Sony PlayStation Network was enabled by the lack of a

random number in the algorithm utilised by the security system therein.

This ultimately allowed the secret key used for the protection of digital

content on the system to be discovered. This was a crucial mistake for

Sony to make (Markoff, 2012). The security practices in place in Sony also

Page | 5

left much to be desired. The company failed to protect the networks by

using firewalls. Sony was also using Web applications that were obsolete,

making the company sites attractive targets for hacking activity. Outdated

versions of the Apache Web server were in use and there were no patches

applied on the PlayStation network. There was no firewall running on the

PlayStation network servers (Rashid, 2011).

Within the Sony organisation, at board level, there were also problems

and failings. There existed organisational complexity and a lack of

adequate support for security. It is not known exactly what security

measures Sony had in place prior to the breach. However, organisational

complacency also played a role in the PlayStation Network attacks.

Security entails more than adequate software and encryption; all aspects

of the company require involvement; people, processes and technology.

(Boyd and Thomas, 2011).

SONY’S IMMEDIATE RESPONSE

The response from Sony to the PlayStation Network attack was far from

ideal. It took until April 26th, a week after the event, for the company to

admit that personal information had in fact been stolen and the possibility

that credit card information had also been taken. It took until day 11 for

Sony executives to apologise with the CEO Howard Stringer still remaining

publically silent. The lack of clear communication, transparency and

direction to their customers following the security breach was extremely

poor. On May 6th an apology from Stringer finally came. The company

would offer all their PlayStation network customers free credit for a year

and monitoring for ID theft (Noer 2011).

New security measures were implemented by the company. They

consulted with security experts to put in place security to strengthen the

safeguards to stop unauthorised activity and protect the personal

information of their customers. These new security systems put in place

included software monitoring, penetration and vulnerability testing.

Increased encryption and firewalls were also put in place. Symantec

Page | 6

worked with Sony to improve this security and relocate the network to

another data center. The company also recognised the need for improved

management. (Takahashi, 2011).

POLICIES INTRODUCED AS A RESULT

A few months after the attack, Sony Computer Entertainment has created

a new position – Chief information security Officer (CISO), and appointed a

former Microsoft executive and the director of the National Cyber Security

Center at the US Department of Homeland Security Phillip Reitinger to this

position, responsible for "security of Sony's information assets and

services”. His job is to oversee information security, privacy and internet

safety across the company, coordinating closely with key headquarters

groups and working in partnership with the information security

community to bring the best ideas and approaches to Sony. (Source: Sony

Corp. Info)

Sony also introduced a line of sentence in their Terms of Service, asking

users to agree that not to take legal actions against Sony in court.

(Source: Section 15, Terms of Services, Sony Entertainment Network) This

was criticised by the public, however Sony claimed that it was for the

benefit of both Sony itself and the customers.

ANY RECENT SCANDAL

Even after Sony has claimed that the level of data protection has

increased, it still remained the target of several security breaches.

1. June 2011: An SQL injection attack by a computer hack group – LulzSec against Sony Pictures disclosed personal information of over 1 million Sony customers.

2. June 2011: Just a few days after the SQL injection attack, the same hack group targeted Sony’s developer network and posted details of Sony BMG network maps from a New York City office and 54MB of Sony developer source code.

3. October 2011: Brute-force attack broke into 93,000 PlayStation and Sony network accounts.

Page | 7

4. January 2012: attacks agains a several websites operated by Sony for the corporation’s support of the US Stop Online Piracy Act (SOPA).

VULNERABILITIES IN LEGISLATION

European Regulations

In Europe, security breaches of this nature fall under data protection and

privacy regulation which the European Commission leaves to each EU

member state unlike Europe’s antitrust regulation, which is centralised. In

the aftermath of Sony’s breach, a number of European countries launched

independent investigations The power of this centralised approach means

that and the European Commission has the power to issue multibillion

euro fines to companies found in breach, which it has successfully done in

the past to companies like Microsoft and Intel.

In the United Kingdom, the Information Commissioner’s Office (ICO), which

has the power to fine Sony up to £500,000 if it finds that individuals were

‘seriously affected’. However, one year on from the breach a decision on

whether Sony will be fined will not be due until early May 2012 according

to the ICO website.

In Ireland, the Data Protection commissioner contacted Sony Ireland and

requested the company to prepare a full report disclosing the risk posed

to its Irish customers. The fact that Irish regulation did not require the

data protection commissioner to launch an independent investigation

(despite the nature of the high profile breach) indicates vulnerability in

Irish data protection regulation. Sony was never ordered to pay a fine in

Ireland and despite investigations in countries including Spain, France,

Germany and the Czech Republic, no country has yet to issue a fine.

Although, there are European member states that would be unwilling to

relinquish control of their data protection regulations, it must be

highlighted that the lack of centralisation means that serious security

breaches involving consumer data are occurring without any damaging

financial penalties being imposed on the company. With little implications

Page | 8

or consequences in place for breaches of this magnitude, it could be

argued that as a result there is also little motivation for companies to

invest heavily in security and policies that would protect their consumer

data.

This breach ignited new discussions in Europe regarding the extension of

current data protection laws beyond the telecommunications

industry. These laws, known as the E-Privacy Directive, currently affect

the telecommunication industry and require telecom networks in the EU to

make a swift, mandatory disclosure about a data breach. If the proposed

extension to the directive is made, Matthew Newman ,a spokesman for

the EU Justice Commissioner was quoted as saying ‘they will modernize

rules dating from 1995, and could expand to e-banking, online shopping

or the personal data field’

CONCLUSIONS

The Sony case has taught different people many lessons. For our interest

in risks and how they relate to consumer information and data breaches

this remains is an important case to study. The terms of a companies duty

to disclose has been more closely scrunitized by regulators worldwide

given the large fraud related concerns. This was primarily due to Sony’s

poor response to inquiries during the crisis. More lenient legal contructs

(like California’s) regarding obligations to inform customers and clients of

data breaches have become more noticably in of reform for consumer and

fraud pertection. However, what is actually changes at the American

federal and European intergovermental level are still up in the air.

REFERENCES/LITERATURE

Arthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major data leak [Online]. Available from:

http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-data-leak?INTCMP=ILCNETTXT3487 [Accessed April 2012].

Page | 9

Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach [Online]. Available from: http://venturebeat.com/2011/09/22/security-lessons-from-the-playstation-network-breach/ [Accessed April 2012].

Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from:

http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?pagewanted=all [Accessed April 2012].

Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Available from: http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4-838c-4cfd-b915-9a6091edff44%40sessionmgr14&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#db=bth&AN=65258326 [Accessed April 2012].

O’Brien, C. 2011. Sony’s PlayStation network hacked [Online]. Available from:

http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April 2012].

Rao, Lenna, 2011 “J.P. Morgan: Global E-Commerce Revenue To Grow By 19 Percent In 2011 To $680B” TechCrunch [Online]http://techcrunch.com/2011/01/03/j-p-morgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/

Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony [Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].

Stuart, K. 2011. PlayStation 3 hack – how it happened and what it means [Online]. Available from: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hack-ps3?intcmp=239 [Accessed April 2012].

Takahashi, D. 2011. Will PlayStation Network’s improved security be good enough? [Online]. Available from:

http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-be-good-enough/ [Accessed April 2012].

Sony’s Response to the U.S. House of Representatives, 04 May, 2011, Posted by Patrick Seybold – Sr. Director, Corporate Communications & Social Media, PlayStation Blog, URL:

Page | 10

http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/

Philip R. Reitinger is Named Senior Vice President and Chief Inofmation Security Officer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL: http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.html

Terms of Service, Sony Entertainment Network, URL: www.sonyentertainmentnetwork.com/terms-of-service/

Page | 11