Last modified: Wednesday, April 27, 2011
CACR: PlayStation breach presents massive security threat
FOR IMMEDIATE RELEASE
April 27, 2011
BLOOMINGTON, Ind. -- A massive data breach following the hacking of Sony's PlayStation network is affecting an estimated 77 million people, crippling the popular gaming pipeline and leaving victims at serious risk for identity theft and other frauds.
Fred H. Cate, director of Indiana University's Center for Applied Cybersecurity Research, said the attack presents a "massive security threat," with the potential to affect millions of people, including children.
Sony disclosed on Tuesday (April 26) that its gaming network -- which had been down for more than a week -- was the victim of a cyberattack, with user information such as names, addresses, birth dates, usernames and passwords, and e-mail addresses compromised. Sony remains unsure if credit card information was taken.
"This is one of the biggest data heists we have ever seen, both in terms of the number of people affected and the wide variety of data that appear to have been compromised," Cate said. "Even if it turns out credit card data wasn't stolen, the consequences of this attack are huge."
"The reason," according to Cate, "is that the stolen data included passwords and password reset questions."
"Password data is very revealing," Cate said. "Many people reuse the same passwords and reset questions across most, if not all, sites they use."
So whoever stole or has access to the PlayStation data may very well be able to access PlayStation users' other accounts -- including banking, credit card, online retail, email, and corporate network accounts.
"In fact, by using the password reset information, the thieves can reset account passwords, thereby blocking individuals' access to their own accounts and information," Cate said.
PlayStation users who have been affected by the breach are encouraged to change their passwords and reset question answers not only for their PlayStation accounts, but all accounts where they have used the same or similar information. This should be done "urgently," Cate recommended.
The need for speedy action is especially great since it appears that, while the incident remains under investigation, whoever stole data from the PlayStation network has likely had a weeklong head-start to use any stolen data.
Users should also monitor their credit card statements for unrecognized charges, and be alert for an influx of inquiries for further identifying information. Individuals should never give out or verify personal information via email or over the phone unless they placed the call.
Once the PlayStation network reactivates -- it was unknown Wednesday morning when that might occur -- users should login as soon as possible and change their passwords.
Cate, a cybersecurity expert, is a distinguished professor and the C. Ben Dutton Professor of Law at the IU Maurer School of Law. He can be reached at: firstname.lastname@example.org.
The Center for Applied Cybersecurity Research has been designated a National Center of Academic Excellence in both Information Assurance Education and Research. CACR is part of Pervasive Technology Institute at Indiana University. CACR produces Security Matters, an informational video series that empowers technology users to protect their data in an easy-to-understand, nontechnical way.