(Sony) Risk assignment final high profile security breach of Sony’s Playstation Network (PSN)
-
Upload
james-dellinger -
Category
Education
-
view
1.372 -
download
0
description
Transcript of (Sony) Risk assignment final high profile security breach of Sony’s Playstation Network (PSN)
Risk Management & Regulation in e-Commerce:Focus on Sony27th April 2012
IS510
DCU BUSINESS SCHOOL
ASSIGNMENT SUBMISSION
Student Name(s)
Student Number(s):
James Dellinger
Grainne Malone
Jennifer Murphy
Ran Zhang
Programme: MECB1 - MSc in Electronic Commerce
Project Title:Risk Management & Regulation in e-Commerce
Assignment: Focus on Sony
Module code: IS510
Lecturer: Jack Nagle
Project Due Date: 27-APR-2012
Declaration
I the undersigned declare that the project material, which I now submit, is my own work. Any assistance received by way of borrowing from the work of others has been cited and acknowledged within the work. I make this declaration in the knowledge that a breach of the rules pertaining to project submission may carry serious consequences.
I am aware that the project will not be accepted unless this form has been handed in along with the project.
Page | 1
Signed:_________________________ _________________________ _________________________ _________________________
Page | 2
TABLE OF CONTENTS
DCU Business School Assignment Submission...................................1
Introduction..............................................................................................4
Company Overview..................................................................................4
PSN Data Collection..................................................................................4
High Profile Data Breach Incident.........................................................5
Why it happened......................................................................................5
Sony’s Immediate Response....................................................................6
Policies Introduced as a Result.................................................................7
Any Recent Scandal.................................................................................7
Vulnerabilities in Legislation.................................................................8
Conclusions...............................................................................................9
References/Literature.............................................................................9
Page | 3
INTRODUCTION
It is anticipated that global e-commerce revenue will hit $963 billion by
2013, with predicted growth of 19% annually (Rao, L., 2011). This growth
will undoubtedly see more consumers handing over personal financial
data. With frequent high profile online security breaches jeopardising
consumer’s information, the focus must be on what measures companies
are taking to secure this data and what legislation exists to place
obligations on commercial entities to meet acceptable standards of online
security.
This report will explore the high profile security breach of Sony’s
Playstation Network (PSN) that led to millions of users’ personal and
financial information being exposed. Focus will be placed on what
occurred in the aftermath, analysing Sony’s response. An analysis will also
be made of the damage if any that was done to the company’s’ corporate
reputation, and the measures that have been brought about to negate
any damage done to the brand’s reputation and avoid such a scenario
arising again.
Finally, there will be a discussion as to the role of legislation in defining
Sony’s legal responsibility with respect to this incident.
COMPANY OVERVIEW
Sony needs little introduction as one of the world’s leading digital
entertainment brands, with a large portfolio of multimedia content. A key
focus for Sony is its gaming division, Sony Computer Entertainment, a
major video game company specializing in a variety of areas in the video
game industry which is the focus of this report. The PlayStation Network
(PSN) is an online multiplayer gaming digital media delivery service, in
order to use the service users are required to create an account.
PSN DATA COLLECTION
Page | 4
Sony collects data from its Playstation Network account holders for the
purpose of billing. Data collection is as follows:
Name
Address
Country
E-mail address
Date of Birth
PSN password and login name
Apart from this profile data, additional information is compiled internally
including purchase history and billing address, the security question
answers to user’s accounts.
HIGH PROFILE DATA BREACH INCIDENT
On 19th April 2011 Sony discovered a security breach in its PlayStation
Network (PSN) resulting in a temporary shutdown of service for users.
Customers were unable to download any games or play online. Qriocity,
Sony’s music and video streaming service was also impacted (O’Brien,
2011). Hackers had exposed a weakness in the encryption system,
obtaining the public key needed to run any software on the machines
(Stuart, 2011). This breach was one of the most significant ever, with 77
million users put at risk of fraudulent activity via credit cards. The hackers
stole users personal information which if sold on through online black
markets had a potential worth of £100 million (Arthur and Stuart 2011).
WHY IT HAPPENED
The attack on the Sony PlayStation Network was enabled by the lack of a
random number in the algorithm utilised by the security system therein.
This ultimately allowed the secret key used for the protection of digital
content on the system to be discovered. This was a crucial mistake for
Sony to make (Markoff, 2012). The security practices in place in Sony also
Page | 5
left much to be desired. The company failed to protect the networks by
using firewalls. Sony was also using Web applications that were obsolete,
making the company sites attractive targets for hacking activity. Outdated
versions of the Apache Web server were in use and there were no patches
applied on the PlayStation network. There was no firewall running on the
PlayStation network servers (Rashid, 2011).
Within the Sony organisation, at board level, there were also problems
and failings. There existed organisational complexity and a lack of
adequate support for security. It is not known exactly what security
measures Sony had in place prior to the breach. However, organisational
complacency also played a role in the PlayStation Network attacks.
Security entails more than adequate software and encryption; all aspects
of the company require involvement; people, processes and technology.
(Boyd and Thomas, 2011).
SONY’S IMMEDIATE RESPONSE
The response from Sony to the PlayStation Network attack was far from
ideal. It took until April 26th, a week after the event, for the company to
admit that personal information had in fact been stolen and the possibility
that credit card information had also been taken. It took until day 11 for
Sony executives to apologise with the CEO Howard Stringer still remaining
publically silent. The lack of clear communication, transparency and
direction to their customers following the security breach was extremely
poor. On May 6th an apology from Stringer finally came. The company
would offer all their PlayStation network customers free credit for a year
and monitoring for ID theft (Noer 2011).
New security measures were implemented by the company. They
consulted with security experts to put in place security to strengthen the
safeguards to stop unauthorised activity and protect the personal
information of their customers. These new security systems put in place
included software monitoring, penetration and vulnerability testing.
Increased encryption and firewalls were also put in place. Symantec
Page | 6
worked with Sony to improve this security and relocate the network to
another data center. The company also recognised the need for improved
management. (Takahashi, 2011).
POLICIES INTRODUCED AS A RESULT
A few months after the attack, Sony Computer Entertainment has created
a new position – Chief information security Officer (CISO), and appointed a
former Microsoft executive and the director of the National Cyber Security
Center at the US Department of Homeland Security Phillip Reitinger to this
position, responsible for "security of Sony's information assets and
services”. His job is to oversee information security, privacy and internet
safety across the company, coordinating closely with key headquarters
groups and working in partnership with the information security
community to bring the best ideas and approaches to Sony. (Source: Sony
Corp. Info)
Sony also introduced a line of sentence in their Terms of Service, asking
users to agree that not to take legal actions against Sony in court.
(Source: Section 15, Terms of Services, Sony Entertainment Network) This
was criticised by the public, however Sony claimed that it was for the
benefit of both Sony itself and the customers.
ANY RECENT SCANDAL
Even after Sony has claimed that the level of data protection has
increased, it still remained the target of several security breaches.
1. June 2011: An SQL injection attack by a computer hack group – LulzSec against Sony Pictures disclosed personal information of over 1 million Sony customers.
2. June 2011: Just a few days after the SQL injection attack, the same hack group targeted Sony’s developer network and posted details of Sony BMG network maps from a New York City office and 54MB of Sony developer source code.
3. October 2011: Brute-force attack broke into 93,000 PlayStation and Sony network accounts.
Page | 7
4. January 2012: attacks agains a several websites operated by Sony for the corporation’s support of the US Stop Online Piracy Act (SOPA).
VULNERABILITIES IN LEGISLATION
European Regulations
In Europe, security breaches of this nature fall under data protection and
privacy regulation which the European Commission leaves to each EU
member state unlike Europe’s antitrust regulation, which is centralised. In
the aftermath of Sony’s breach, a number of European countries launched
independent investigations The power of this centralised approach means
that and the European Commission has the power to issue multibillion
euro fines to companies found in breach, which it has successfully done in
the past to companies like Microsoft and Intel.
In the United Kingdom, the Information Commissioner’s Office (ICO), which
has the power to fine Sony up to £500,000 if it finds that individuals were
‘seriously affected’. However, one year on from the breach a decision on
whether Sony will be fined will not be due until early May 2012 according
to the ICO website.
In Ireland, the Data Protection commissioner contacted Sony Ireland and
requested the company to prepare a full report disclosing the risk posed
to its Irish customers. The fact that Irish regulation did not require the
data protection commissioner to launch an independent investigation
(despite the nature of the high profile breach) indicates vulnerability in
Irish data protection regulation. Sony was never ordered to pay a fine in
Ireland and despite investigations in countries including Spain, France,
Germany and the Czech Republic, no country has yet to issue a fine.
Although, there are European member states that would be unwilling to
relinquish control of their data protection regulations, it must be
highlighted that the lack of centralisation means that serious security
breaches involving consumer data are occurring without any damaging
financial penalties being imposed on the company. With little implications
Page | 8
or consequences in place for breaches of this magnitude, it could be
argued that as a result there is also little motivation for companies to
invest heavily in security and policies that would protect their consumer
data.
This breach ignited new discussions in Europe regarding the extension of
current data protection laws beyond the telecommunications
industry. These laws, known as the E-Privacy Directive, currently affect
the telecommunication industry and require telecom networks in the EU to
make a swift, mandatory disclosure about a data breach. If the proposed
extension to the directive is made, Matthew Newman ,a spokesman for
the EU Justice Commissioner was quoted as saying ‘they will modernize
rules dating from 1995, and could expand to e-banking, online shopping
or the personal data field’
CONCLUSIONS
The Sony case has taught different people many lessons. For our interest
in risks and how they relate to consumer information and data breaches
this remains is an important case to study. The terms of a companies duty
to disclose has been more closely scrunitized by regulators worldwide
given the large fraud related concerns. This was primarily due to Sony’s
poor response to inquiries during the crisis. More lenient legal contructs
(like California’s) regarding obligations to inform customers and clients of
data breaches have become more noticably in of reform for consumer and
fraud pertection. However, what is actually changes at the American
federal and European intergovermental level are still up in the air.
REFERENCES/LITERATURE
Arthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major data leak [Online]. Available from:
http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-data-leak?INTCMP=ILCNETTXT3487 [Accessed April 2012].
Page | 9
Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach [Online]. Available from: http://venturebeat.com/2011/09/22/security-lessons-from-the-playstation-network-breach/ [Accessed April 2012].
Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from:
http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?pagewanted=all [Accessed April 2012].
Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Available from: http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4-838c-4cfd-b915-9a6091edff44%40sessionmgr14&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#db=bth&AN=65258326 [Accessed April 2012].
O’Brien, C. 2011. Sony’s PlayStation network hacked [Online]. Available from:
http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April 2012].
Rao, Lenna, 2011 “J.P. Morgan: Global E-Commerce Revenue To Grow By 19 Percent In 2011 To $680B” TechCrunch [Online]http://techcrunch.com/2011/01/03/j-p-morgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/
Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony [Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].
Stuart, K. 2011. PlayStation 3 hack – how it happened and what it means [Online]. Available from: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hack-ps3?intcmp=239 [Accessed April 2012].
Takahashi, D. 2011. Will PlayStation Network’s improved security be good enough? [Online]. Available from:
http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-be-good-enough/ [Accessed April 2012].
Sony’s Response to the U.S. House of Representatives, 04 May, 2011, Posted by Patrick Seybold – Sr. Director, Corporate Communications & Social Media, PlayStation Blog, URL:
Page | 10
http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/
Philip R. Reitinger is Named Senior Vice President and Chief Inofmation Security Officer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL: http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.html
Terms of Service, Sony Entertainment Network, URL: www.sonyentertainmentnetwork.com/terms-of-service/
Page | 11