Sony PlayStation Network Mega Update: What’s Happening, Q&A, Legal Implications

Unless you live in a hole, and even then, by now you’ve heard of Sony’s woes with its PlayStation Network being down for about a week, making it completely unavailable to its over seventy million registered users worldwide.

Here is a mega update, then, for all of your PSN news needs.

THE 411

Sony have mentioned that they don’t have an update or a timeframe to share, regarding the resumption of the service, but latest correspondence with users suggests that it may be up and running again “within a week”.

Positive news for those keeping tabs, but that’s about where it ends. The rest is all downhill.

Most importantly, the platform holder has admitted that some PSN users’ personal information, potentially including credit card details, has been stolen following the online service’s security breach.

Rumours were that they had waited a week to inform customers of their compromised personal data, however these have all been denied.

Senior Directer of Corporate Communications at SCEA, Patrick Seybold, said that the platform holder only realised the extent of the intrusion this week. He had the following to say on the PlayStation Blog:

“I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today,” he said. “There’s a difference in timing between when we identified there was an intrusion and when we learned of consumer’s data being compromised.”

“We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.”

“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”

THE Q&A

Sony have since updated an official Q&A regarding the PSN outage, along with information pertaining to the illegal and unauthorized intrusion which occurred between April 17th and 19th.

In the Q&A, Sony speak of turning off service to both PSN and Qriocity in order to conduct an internal investigation into its network, with the help of an outside security firm brought in to conduct a “full and complete investigation into what happened.”

Sony then began to “enhance security and strengthen our network infrastructure by re-building our system,” in order to provide users with “greater protection,” of personal information.

The firm’s investigation into the matter indicated a quite alarming possibility that all PSN and Qriocity accounts “may have been affected,” by the security breach and there is the “possibility,” that all users’ information could have been compromised. Emails have since been sent out to inform users of said breach.

That said, so far Sony have not received any reports of users’ personal information being used in a nefarious manner.

The firm had the following to say: “We are taking the investigation seriously.” Well that’s enlightening… They went on to say, “We will keep the service down to allow us to conduct a thorough investigation and verify smooth operation of our network services but are working hard to resume the services as soon as we can be reasonably assured security concerns are addressed.”

Sony also claimed that it will assess the “correct course of action,” pertaining to monetary value of services not rendered while the outage was current, and once full services are restored and “the length of the outage is known,” it will have more information.

THE DEVELOPERS

It seems that it’s not just Sony and its customers who are suffering for it. Developers are hurting too.

Q-Games, better known for their PSN-exclusive PixelJunk series, has claimed that the downtime of PSN is starting to cost it some serious money. Head honcho, Dylan Cuthbert, had this to say: “PSN being out definitely affects our bottom line, but as long as the people who were going to be playing Shooter 2 and other PixelJunk titles will get right back in there playing them when it comes back up we’ll be happy and hopefully income won’t be dented too much.”

He added that his studio was just as much in the dark about when the service might be back online as everyone else in the world. “Sony has contacted us to let us know they are working as hard as they can 24 hours a day to fully correct and secure the breach,” he explained. “Apart from that we don’t know any other information. Fingers crossed they’ll get it up and running very soon.”

THE LEGAL STUFF

Sony is very much “unlikely” to face legal action from gamers upset over the PSN outage, but it is “probably” in breach of the Data Protection Act over the identity theft furore.

This according to Alex Chapman of Sheridans Solicitors, who states that Sony’s PSN terms and conditions – which all users must agree to before accessing the service – means legal complains are unlike to lead to compensation.

“Our applications are provided on an ‘as is’ basis,” reads the T&Cs. “At times, applications may not be available or may be affected by faults of maintenance work, or by circumstances outside our control. No warranty is given about the quality, functionality, availability or performance of our applications or any content accessed via our applications. We reserve the right to change, suspend or withdraw all or any part of any application and to suspend your access to the application, at any time without notice.”

“This is pretty self explanatory and probably protects Sony in respect of the outage,” Chapman said.

Users may, however, have a cause of action through the Unfair Contract Terms Acts. But to do so they would have to show a number of conditions including that Sony hasn’t provided the service with “reasonable care” as well as showing actual loss or damage, all rather unlikely.

It is however likely that Sony is in breach of the Data Protection Act of 1998, thanks to the huge security leak, and could face claims from those impacted. “One of the guiding principles of the Act is that personal data must be kept secure and the exposure of the data in this way would likely breach that principle,” Chapman explained.

That users’ passwords have been “obtained”, as Sony puts it, suggests that Sony stored user passwords as plain text without encryption. As a student who has taken an encryption course I can vouch for how important it is. Also, they would kill us with DRM but use plain text for passwords? Really, Sony…

Chapman added, “The Information Commissioner often fines companies for such breaches and affected consumers will also be entitled to bring a claim against Sony.

UK consumer rights group Which? (yes that is their name) says it’s very unlikely that PlayStation owners will have to pick up any costs in the event their credit cards are used for fraudulent activity. Reassuring, isn’t it?

“Unless you’ve been involved in the fraud or have been grossly negligent – for example, writing down your Pin and leaving it with your card – the most you can be liable for fraud on debit and credit cards is £50, and this is normally waived,” reads the FAQ on its site.

Speaking of the PSN outage, Satish Lele, vice president of business research and consulting firm Frost & Sullivan, had the following to say: “Sony is now an online entertainment company and more and more of its revenues are expected to come from its online business as it has moved away from being a product business quite some time ago when it lost this game to Samsung. So if it is not able to do that very quickly, I think [the PSN security breach] may have an impact in the long-term in terms of the overall business of Sony.”

On the potential damage to Sony’s image, he added: “It’s very difficult to quantify. It will have to invest a lot of rebuilding this entire infrastructure, it will have to invest a lot in marketing and telling everyone it is safe again to buy online from the services that they offer. All that will truly take time for Sony to rebuild again.”

Or they could just pimp out Uncharted 3 for like R100 on PSN once it’s back up… Tell me you wouldn’t hit that?

Visa, the global payments company, has said that customers need not automatically cancel their cards, but should remain vigilant, at least for the time being. “Concerned cardholders should keep a close eye on their accounts and report any unusual or unexpected activity to their issuing back,” a statement reads. “Cardholders who are innocent victims of fraud will get their money back, subject to terms and conditions of their bank.”

Other observers are however being more cautious. The aptly named Graham Cluely of analysts Sophos, had this to say: “If you’re a user of Sony’s PlayStation Network, now isn’t the time to sit back on your sofa and do nothing. The fraudsters won’t wait around – for them this is a treasure trove ripe for exploiting. You need to act now to minimise the chances that your identity and bank account become casualties following this hack.”

How much will all of this cost Sony? The financial ramifications of the “external intrusion” on Sony, PS developers and users won’t likely be known for a while, but a data-security research firm and Forbes mathematicians have put together a worst-case scenario price tag, for the breach: $24 billion. That’s US dollars, mind you…

Okay pick your jaw up, now.

How did they work it out? It was derived by multiplying the number of PSN accounts, approximately 77 million, by the “cost of a data breach involving a malicious or criminal act,” which according to the Ponemon Institute, averaged $318 last year. It needn’t be said that not every PSN account has current credit card date or accurate personal information attached to it, which of course makes the actual figure far, far less.

THE FIRST LAW SUIT

It didn’t take long for the lawyers to come out. Sony has its first law suit, filed against it by California-based practice Rothken Law Firm on behalf of Alabama resident Kristopher Johns, who is complaining that Sony didn’t take “reasonable care to protect, encrypt, and secure the private and sensitive date of its users.”

Johns also argues that Sony took too long to inform users of the breach, meaning they didn’t have enough time to “make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.”

The court document claimed that Sony “has failed to provide regular credit reports and credit monitoring at their own expense to those whose private data was exposed and left vulnerable. This has caused, and continues to case, millions of consumers fear, apprehension, and damages including extra time, effort, and costs for credit monitoring, and extra time, effort, and costs associated with replacing cards and account numbers, and burden, and is harming both the consumers’ and merchants’ ability to protect themselves from such fraud. This lawsuit seeks to remedy this reprehensible situation.”

Johns himself is seeking undefined compensatory damages and costs, however, potentially more damaging to Sony, Rothken wants the suit to gain class action status, which would allow other PSN account holders to jump on board for a share of the spoils.

Once again, actual confirmed reports of fraudulent activity as a result of the PSN hack, have yet to occur.

Head over to page two for Sony’s official statement regarding the PSN outage, and then to page three for their official Q&A.