How Safe Is Your Data? Lessons of the PlayStation Security Breach

  • Share
  • Read Later
Thomas Peter / Reuters

For seventy million users of Sony's PlayStation Network, this is a weird time — one in which they're being simultaneously deprived of the shoot-em-ups they crave and used as pawns in an epic conflagration between Sony and a shadowy, wily opponent. It started on the evening of Wednesday, April 20th, when a post on Sony's PSN blog noted that the PlayStation Network and Qriocity service — which the PlayStation 3 console relies on for multiplayer PlayStation 3 games, movies, and music — were out of commission. A day later, another post estimated that it might be a day or two before they returned. Then one announced that Sony had detected an "external intrusion" and had intentionally taken the services offline to fortify them.

On Tuesday of this week, the PSN blog disclosed an explosive new twist: the external intruder had obtained customers' names, handles, e-mail addresses, mailing addresses, passwords, and birthdates — and possibly purchase histories and the security questions that supposedly help protect accounts from unauthorized access. How about credit-card info? Sony said it has no reason to think that that was purloined, but it's not positive that it wasn't. (The company also said it may need another week before it's ready to restore PSN service.)

We don't know who broke into the PlayStation Network or why, but the fact that Sony came under assault wasn't exactly a shocker. For months, some PlayStation geeks have been apoplectic about its lawsuit against a hacker who published information on modifying the PS3 to permit the installation of software unauthorized by Sony. An underground collective that calls itself "Anonymous" had essentially declared cyber war against the company", and was apparently behind a outage earlier this month. (It denies responsibility for the current attack.)

The PlayStation Network drama is still unfolding, and it's uncommonly suspenseful. But the basic issue — big companies failing to adequately secure consumer information from hack attacks — is far from unique. On April 1st, for instance, Epsilon, an outfit that handles marketing services for Best Buy, Capital One, Marriott, 1-800-FLOWERS, and other corporate behemoths, announced that it had suffered a security breach of its own. Only names and e-mail addresses had been vulnerable, not physical addresses, passwords, or financial information. A clever cybercrook, however, could use names and e-mail addresses to send fake e-mails that appear to come from Epsilon's clients and which attempt to wheedle valuable information such as passwords out of consumers — a scam known as phishing.

Epsilon's break-in lacks the melodrama of the PlayStation crisis, but it provides a teachable moment of its own: none of us have a clue who's got our data. Most of the people who received an e-mail alerting them that Epsilon had allowed their names and e-mail addresses to go astray had probably never even heard of the company. Who knew that it had info on us at all, let alone that anyone would hack into it?

Ultimately, the companies who store our data on their servers are the only ones who can keep it safe. I hope that the sheer expensive enormity of Sony's fiasco prompts corporations everywhere to redouble their efforts to do so. And I do have a few tips — whether you were among the victims in the Epsilon or Sony breaches (or, like me, both) or are simply thinking ahead to the next attack.

Keep your eyes open. If anyone's managed to compromise your credit cards or other financial accounts or open new ones under your name, there will be telltale signs. But you need to be on the lookout for them. Eyeball your credit-card statements for charges you don't remember. Open and read mail from banks, merchants, and other businesses rather than assuming it's all come-ons for stuff you don't want. Paying a hefty monthly fee to one of the credit-score services that plasters TV with commercials is an iffy proposition, but visiting for free yearly reports from the big three agencies is good common sense.

Be skeptical. E-mail in your inbox that claims to be from companies you do business with is probably legit, but you can't make any assumptions. It could be a phishing attack, and while many of these are hilariously amateurish, the best ones are pretty darn convincing. If a message has file attachments or includes links to a site that immediately demands your password or other personal information, it's almost certainly a fraud.

Check your spam filter. If a company you do business with is writing to tell you it's allowed your information to be stolen, you want to know about it. After the Epsilon incident, I was surprised by how few companies e-mailed me to warn me that my information might have been compromised. Then I poked around in the folder where Gmail deposits incoming mail that it thinks is spam — and discovered that it had mistakenly flagged some Epsilon-related correspondence as junk.

Guard your cards. Back in the mid-1990s, an awful lot of people were so freaked out about Internet security that they didn't use their credit cards on the Web, period. Virtually all of us are over that. But being careful about unnecessary dispersal of your financial details isn't a sign of paranoia. When online merchants such as travel sites let me choose between saving my credit-card info for later use or entering it manually every time, I generally opt for the latter. If it's not in stored in a database somewhere, it can't be swiped.

Avoid the optional. Sites that collect information from you frequently pelt you with mandatory fields — the ones marked with asterisks — and then throw in a few additional ones which you're allowed to skip. Consider doing so. The less data about you that's stored in leaky corporate databases, the less alarming it'll be if you learn that those databases have been broken into. Besides, the optional fields are mostly there for the benefit of the company, not you: they're useful for marketing purposes.

Oh, and one more tip:

Don't panic. For one thing, it doesn't help. For another, many of us are already screwed, even if we don't know it: illicit online trafficking in consumer data has been so widespread for so long that at least some of your information may well be in the wild already.

And don't forget that identity theft in brick-and-mortarland is at least as gnarly a problem as its digital counterpart. A person unknown to me recently signed up for a Dell account under my name and bought a bunch of pricey computer equipment on credit; I'm nearly positive that the miscreant stole an offer that Dell had snail-mailed to me. Dealing with the resulting mess was no fun, but I didn't let it sour me on life in the real world — and you shouldn't let the hazards of life online faze you.

McCracken blogs about personal technology at Technologizer, which he founded in 2008 after nearly two decades as a tech journalist. On Twitter, he's @harrymccracken. His column, also called Technologizer, appears every Thursday on