Over the past few weeks there has been a lot of complaint and speculation about the Sony PlayStation Network (PSN) data breach, which has affected over 100 million accounts. I don’t know all the facts, as they are still emerging, but I have a few general views:
Be prepared: Ensure that you have an effective communications plan, which you can enact quickly. Sony and Apple have recently both been castigated for their time to both acknowledge and respond to issues. People shouldn’t expect answers immediately, but they would like to know that you’re actively addressing the situation.
Have a forensic readiness plan, retaining technical and investigative expertise as required. This will help minimise contamination of evidence while controlling the incident – essential if you want to know how they got in, what they did, what trail they left. Without this, you have no realistic chance for a successful prosecution.
Treat customer data as your own: It’s one thing to spend lots of effort protecting your information with takedown notices, rootkits and legal threats, and another to leave personal data such as email addresses, phone numbers and passwords in the clear. Just encrypting credit card data, to get your PCI-DSS tick in the box, is not enough.
Validated email addresses have value to spammers, real names help phishers, dates of birth help facilitate identity fraud, password reuse is rife among users, leading to further compromises. Learn from other attacks, such as on Epsilon and Gawker. Governments looking to spy on dissidents have targeted Facebook and Gmail.
If it is popular, expect it to be targeted and hacked. Build your platform to minimise impact.
Expect legal and regulatory fallout: In our interconnected world, there is a raft of legal and regulatory requirements that large online services need to be aware of and compliant with, including ones covering data breach notifications and privacy of personal and financial data. Investigations may ensue.
Fines may be imposed by data protection and financial regulators, and individual or class action suits may be brought. These could arise anywhere that you are considered to operate your service. The Sony and Hotz “PS3 hacking” case demonstrated this can be a complex and fraught process. Make sure you have access to a great legal team.
This hacking incident may have brought some positives in that Sony has now learned some of the above lessons, and has appointed its first chief information security officer who hopefully has the remit to improve security and privacy practices. And PSN users got a chance to enjoy the spring sunshine.