Another week, another security breach announcement from Sony. The first breach compromised 77 million Sony consumers – add 24.6 million additional compromised users with this latest announcement and the total users affected is over 100 million. The company has also disclosed that 12,700 accounts included credit card numbers – though none from U.S. consumers as if that makes a difference.
There are several reasons to be frustrated with Sony’s behavior:
1) Delayed notice. Sony chose once again to delay informing users about this second breach of their data records when every day that goes by counts. The value of a stolen credit card number decreases daily after the theft is discovered as users scramble to notify banks of the risk, but consumers can’t react to a risk unless companies inform them of a breach. Waiting a week after the first incident, and nearly two weeks after the second incident represents a careless disregard of the risk to users.
According to testimony Sony provided to a House hearing (the company chose not to attend in person) Sony said that it waited to inform consumers until it had more complete information on the attack, and that they have not received any reports of fraudulent credit card transactions linked to the attacks.
Well gee whiz. If you don’t inform the users of a risk, they are less likely to be watching for, or discovering, fraudulent charges.
2) Cavalier response. Sony chose to first notify their users via a company blog – if users didn’t actively go to the Sony site, they had no way of discovering their data was at risk until the media broadcast the breach. When a company knows they’ve exposed their consumers to risk, and know exactly how to contact their users – including the names, addresses and email aliases – failing to email or use other means to contact each user immediately is shocking, careless, and disrespectful.
This isn’t 1980 when it could take a company a week to get their notification content approved through a slew of PR and legal folks, then another week to send and get back the material from a printing service, then a week to stuff and address 100 million+ envelopes, and possibly another week before the notices to arrive to consumers via snail mail.
Sony has earned every criticism aimed in their direction over the blatant delays and disregard they’ve shown their users safety and privacy and put their brand name in the toilet. As Rep. Mary Bono Mack (R-Calif.) put it, Sony’s efforts were “half-hearted, and half-baked.”
3) Pitiful “restitution”. In Sony’s blog after the first data breach, they dumped the onus of defending against potential fraud on users. By collecting and storing consumer information the company took upon itself the responsibility for the safety and security of that information.
Yet, in these three paragraphs of that first blog Sony distances themselves from responsibility by urging consumers to be vigilant without stepping up to provide protection.
This tune has changed somewhat. In a blog released today, Sony Corp. Chief Executive Howard Stringer apologized to users for their “inconvenience and concern” and announced the launch of an identity theft protection program for U.S. account holders.
The service includes a $1 million identify theft insurance policy and will be free for 12 months after enrollment.
While it’s poor etiquette to look a gift horse in the mouth, let’s be clear this is program is neither a gift nor a horse. More like a Band-Aid and a donkey.
When any company collects your information and then fails to protect it, you should darn well expect ID theft insurance as a minimum, and without a paltry 12 month limit. Their loss of your information may expose you to increased risk of ID theft, targeted scams, and reputational damage for years, even for the rest of your life.
Think about it. You may jump to change your credit card number, and hopefully you’ll change passwords. But you can’t change your date of birth, and you aren’t likely to change your name or address. In fact, few of you will even consider changing email aliases. What this means is that crooks have all the key pieces of information needed to continue targeting you. Only really stupid criminals throw away information about you, it is likely to get sold, resold, repurposed, and accessed many, many times.
Other ways to discover that this horse is really a donkey is by looking into exactly what that $1million ID theft insurance policy does and does not cover. That insurance is likely only going to help you with financial ID theft, but how that term is defined is worth understanding. Does it only cover credit card charges and credit restoration costs?
Will it cover you if you fall for a carefully crafted, personalized scam that leveraged the stolen information? Will it cover the potential reputational damage of having your accounts manipulated in unflattering ways? Or loss of business profits if information from one of your accounts that used the same password is also exposed? If you are like the vast majority of users who use a single password on all or many of your accounts the damage could be far reaching. Will this policy cover the costs of trying to recover compromised information that is not financial in nature – i.e. if the hackers gained your password, and you used that same password on your Facebook account where now your family photos have been stolen, will they take care of the recovery/takedown of these images posted elsewhere?
Few users really understand the potentially far reaching risk ripple effect these types of data breaches may have on you – and beyond you. The theft of your personal information may increase the risk of ID theft and fraud to your family members and friends.
A criminal may use your information as a means of building trust with their next victim – your family member or friend. If a criminal knows your name then your children may be at increased risk because crooks will know the answer to that frequently used ‘security question’ of what is your mother’s maiden name. They may use the information to identify the addresses and other information of those you live with.
And lest I forget, Sony’s plan to lure distrustful customers to return is to offer users a 30-day membership to their PlayStation Plus service and free entertainment downloads. Yep, that should just about balance out the risks.
So what can you do?
For a fuller set of recommendations and how to accomplish them see my blog Sony’s Security Breach, their Delay in Reporting, and their “User’s it’s Your Problem” Stance Deserves close scrutiny.
- Be diligent in monitoring your financial and medical identities. The information accessed by these hackers has significant value and criminals will exploit any information they acquire.
- Understand the scope of the ID theft problem
- Be wary of allowing additional information about yourself be placed online with Sony before better security standards are in place.
- Demand better security and accountability of the companies, institutions, and government agencies holding your records.
- National requirements for security standards need to be strengthened
- Learn to identify scams.
To be clear, it appears at this point that the hackers were very sophisticated, and though Sony has taken steps to further strengthen their security, they have not been accused of being security slackers. Hacks can occur in even tightly secured environments (just ask our military!).
The truly objectionable pieces in these incidents is that not only did Sony fail to protect your data, they failed to take immediate steps to inform consumers, and they did not step up to their responsibility to help users remedy the problem until pressure forced them to change positions – and even now it’s too little and too late.
Let the company know just how unhappy you are, and let your elected officials hear your dissatisfaction along with a request for stronger security requirements and penalties for companies holding consumer data.