For seventy million users of Sony’s PlayStation Network, this is a weird time — one in which they’re being simultaneously deprived of the shoot-em-ups they crave and used as pawns in an epic conflagration between Sony and a shadowy, wily opponent. It started on the evening of Wednesday, April 20th, when a post on Sony’s PSN blog noted that the PlayStation Network and Qriocity service — which the PlayStation 3 console relies on for multiplayer PlayStation 3 games, movies, and music — were out of commission. A day later, another post estimated that it might be a day or two before they returned. Then one announced that Sony had detected an “external intrusion” and had intentionally taken the services offline to fortify them.
On Tuesday of this week, the PSN blog disclosed an explosive new twist: the external intruder had obtained customers’ names, handles, e-mail addresses, mailing addresses, passwords, and birthdates — and possibly purchase histories and the security questions that supposedly help protect accounts from unauthorized access. How about credit-card info? Sony said it has no reason to think that that was purloined, but it’s not positive that it wasn’t. (The company also said it may need another week before it’s ready to restore PSN service.)
We don’t know who broke into the PlayStation Network or why, but the fact that Sony came under assault wasn’t exactly a shocker. For months, some PlayStation geeks have been apoplectic about its lawsuit against a hacker who published information on modifying the PS3 to permit the installation of software unauthorized by Sony. An underground collective that calls itself “Anonymous” had essentially declared cyber war against the company”, and was apparently behind a PlayStation.com outage earlier this month. (It denies responsibility for the current attack.)
The PlayStation Network drama is still unfolding, and it’s uncommonly suspenseful. But the basic issue — big companies failing to adequately secure consumer information from hack attacks — is far from unique. On April 1st, for instance, Epsilon, an outfit that handles marketing services for Best Buy, Capital One, Marriott, 1-800-FLOWERS, and other corporate behemoths, announced that it had suffered a security breach of its own. Only names and e-mail addresses had been vulnerable, not physical addresses, passwords, or financial information. A clever cybercrook, however, could use names and e-mail addresses to send fake e-mails that appear to come from Epsilon’s clients and which attempt to wheedle valuable information such as passwords out of consumers — a scam known as phishing.