IS510

Risk Management & Regulation in eCommerce: Focus on Sony

27th April 2012
This report will explore the high profile security breach of Sonys Playstation Network (PSN) that led to millions of users personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sonys response

James Dellinger Grainne Malone Jennifer Murphy Ran Zhang

DCU BUSINESS SCHOOL ASSIGNMENT SUBMISSION

James Dellinger

Grainne Malone Student Name(s) Student Number(s): Jennifer Murphy

Ran Zhang

Programme:

MECB1 - MSc in Electronic Commerce Risk Management & Regulation in e-Commerce Assignment: Focus on Sony IS510 Jack Nagle 27-APR-2012

Project Title:

Module code: Lecturer: Project Due Date:

Declaration I the undersigned declare that the project material, which I now submit, is my own work. Any assistance received by way of borrowing from the work of others has been cited and acknowledged within the work. I make this declaration in the knowledge that a breach of the rules pertaining to project submission may carry serious consequences. I am aware that the project will not be accepted unless this form has been handed in along with the project.

Page | 1

Signed:_________________________ _________________________ _________________________ _________________________

Page | 2

TABLE OF CONTENTS
DCU Business School Assignment Submission .............................................................. 1 Introduction ............................................................................................................................ 4 Company Overview ............................................................................................................... 4 PSN Data Collection ........................................................................................................... 4 High Profile Data Breach Incident ..................................................................................... 5 Why it happened ................................................................................................................. 5 Sonys Immediate Response .............................................................................................. 6 Policies Introduced as a Result ......................................................................................... 7 Any Recent Scandal ............................................................................................................ 7 Vulnerabilities in Legislation.............................................................................................. 7 Conclusions ............................................................................................................................. 9 References/Literature ............................................................................................................ 9

Page | 3

INTRODUCTION
It is anticipated that global e-commerce revenue will hit $963 billion by 2013, with predicted growth of 19% annually (Rao, L., 2011). This growth will undoubtedly see more consumers handing over personal financial data. With frequent high profile online security breaches jeopardising consumers information, the focus must be on what measures companies are taking to secure this data and what legislation exists to place obligations on commercial entities to meet acceptable standards of online security. This report will explore the high profile security breach of Sonys Playstation Network (PSN) that led to millions of users personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sonys response. An analysis will also be made of the damage if any that was done to the companys corporate reputation, and the measures that have been brought about to negate any damage done to the brands reputation and avoid such a scenario arising again. Finally, there will be a discussion as to the role of legislation in defining Sonys legal responsibility with respect to this incident.

COMPANY OVERVIEW
Sony needs little introduction as one of the worlds leading digital entertainment brands, with a large portfolio of multimedia content. A key focus for Sony is its gaming division, Sony Computer Entertainment, a major video game company specializing in a variety of areas in the video game industry which is the focus of this report. The PlayStation Network (PSN) is an online multiplayer gaming digital media delivery service, in order to use the service users are required to create an account.

PSN DATA COLLECTION

Sony collects data from its Playstation Network account holders for the purpose of billing. Data collection is as follows: Page | 4

Name Address Country E-mail address Date of Birth PSN password and login name

Apart from this profile data, additional information is compiled internally including purchase history and billing address, the security question answers to users accounts.

HIGH PROFILE DATA BREACH INCIDENT

On 19th April 2011 Sony discovered a security breach in its PlayStation Network (PSN) resulting in a temporary shutdown of service for users. Customers were unable to download any games or play online. Qriocity, Sonys music and video streaming service was also impacted (OBrien, 2011). Hackers had exposed a weakness in the encryption system, obtaining the public key needed to run any software on the machines (Stuart, 2011). This breach was one of the most significant ever, with 77 million users put at risk of fraudulent activity via credit cards. The hackers stole users personal information which if sold on through online black markets had a potential worth of 100 million (Arthur and Stuart 2011).

WHY IT HAPPENED
The attack on the Sony PlayStation Network was enabled by the lack of a random number in the algorithm utilised by the security system therein. This ultimately allowed the secret key used for the protection of digital content on the system to be discovered. This was a crucial mistake for Sony to make (Markoff, 2012). The

security practices in place in Sony also left much to be desired. The company failed to protect the networks by using firewalls. Sony was also using Web applications Page | 5

that were obsolete, making the company sites attractive targets for hacking activity. Outdated versions of the Apache Web server were in use and there were no patches applied on the PlayStation network. There was no firewall running on the PlayStation network servers (Rashid, 2011). Within the Sony organisation, at board level, there were also problems and failings. There existed organisational complexity and a lack of adequate support for security. It is not known exactly what security measures Sony had in place prior to the breach. However, organisational complacency also played a role in the PlayStation Network attacks. Security entails more than adequate software and encryption; all aspects of the company require involvement; people, processes and technology. (Boyd and Thomas, 2011).

SONYS IMMEDIATE RESPONSE

The response from Sony to the PlayStation Network attack was far from ideal. It took until April 26th, a week after the event, for the company to admit that personal information had in fact been stolen and the possibility that credit card information had also been taken. It took until day 11 for Sony executives to apologise with the CEO Howard Stringer still remaining publically silent. The lack of clear communication, transparency and direction to their customers following the security breach was extremely poor. On May 6th an apology from Stringer finally came. The company would offer all their PlayStation network customers free credit for a year and monitoring for ID theft (Noer 2011). New security measures were implemented by the company. They consulted with security experts to put in place security to strengthen the safeguards to stop unauthorised activity and protect the personal information of their customers. These new security systems put in place included software monitoring, penetration and vulnerability testing. Increased encryption and firewalls were also put in place. Symantec worked with Sony to improve this security and relocate the network to another data center. The company also recognised the need for improved management. (Takahashi, 2011). Page | 6

POLICIES INTRODUCED AS A RESULT

A few months after the attack, Sony Computer Entertainment has created a new position Chief information security Officer (CISO), and appointed a former Microsoft executive and the director of the National Cyber Security Center at the US Department of Homeland Security Phillip Reitinger to this position, responsible for "security of Sony's information assets and services. His job is to oversee information security, privacy and internet safety across the company, coordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to Sony. (Source: Sony Corp. Info) Sony also introduced a line of sentence in their Terms of Service, asking users to agree that not to take legal actions against Sony in court. (Source: Section 15, Terms of Services, Sony Entertainment Network) This was criticised by the public, however Sony claimed that it was for the benefit of both Sony itself and the customers.

ANY RECENT SCANDAL

Even after Sony has claimed that the level of data protection has increased, it still remained the target of several security breaches. 1. June 2011: An SQL injection attack by a computer hack group LulzSec against Sony Pictures disclosed personal information of over 1 million Sony customers. 2. June 2011: Just a few days after the SQL injection attack, the same hack group targeted Sonys developer network and posted details of Sony BMG network maps from a New York City office and 54MB of Sony developer source code. 3. October 2011: Brute-force attack broke into 93,000 PlayStation and Sony network accounts. 4. January 2012: attacks agains a several websites operated by Sony for the corporations support of the US Stop Online Piracy Act (SOPA).

VULNERABILITIES IN LEGISLATION
European Regulations

Page | 7

In Europe, security breaches of this nature fall under data protection and privacy regulation which the European Commission leaves to each EU member state unlike Europes antitrust regulation, which is centralised. In the aftermath of Sonys breach, a number of European countries launched independent investigations The power of this centralised approach means that and the European Commission has the power to issue multibillion euro fines to companies found in breach, which it has successfully done in the past to companies like Microsoft and Intel. In the United Kingdom, the Information Commissioners Office (ICO), which has the power to fine Sony up to 500,000 if it finds that individuals were seriously affected. However, one year on from the breach a decision on whether Sony will be fined will not be due until early May 2012 according to the ICO website. In Ireland, the Data Protection commissioner contacted Sony Ireland and requested the company to prepare a full report disclosing the risk posed to its Irish customers. The fact that Irish regulation did not require the data protection commissioner to launch an independent investigation (despite the nature of the high profile breach) indicates vulnerability in Irish data protection regulation. Sony was never ordered to pay a fine in Ireland and despite investigations in countries including Spain, France, Germany and the Czech Republic, no country has yet to issue a fine. Although, there are European member states that would be unwilling to relinquish control of their data protection regulations, it must be highlighted that the lack of centralisation means that serious security breaches involving consumer data are occurring without any damaging financial penalties being imposed on the company. With little implications or consequences in place for breaches of this magnitude, it could be argued that as a result there is also little motivation for companies to invest heavily in security and policies that would protect their consumer data. This breach ignited new discussions in Europe regarding the extension of current data protection laws beyond the telecommunications industry. These laws, known as the E-Privacy Directive, currently affect the telecommunication industry and require telecom networks in the EU to make a swift, mandatory disclosure about Page | 8

a data breach. If the proposed extension to the directive is made, Matthew Newman ,a spokesman for the EU Justice Commissioner was quoted as saying they will modernize rules dating from 1995, and could expand to e-banking, online shopping or the personal data field

CONCLUSIONS
The Sony case has taught different people many lessons. For our interest in risks and how they relate to consumer information and data breaches this remains is an important case to study. The terms of a companies duty to disclose has been more closely scrunitized by regulators worldwide given the large fraud related concerns. This was primarily due to Sonys poor response to inquiries during the crisis. More lenient legal contructs (like Californias) regarding obligations to inform customers and clients of data breaches have become more noticably in of reform for consumer and fraud pertection. However, what is actually changes at the American federal and European intergovermental level are still up in the air.

REFERENCES/LITERATURE
Arthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major data leak [Online]. Available from: http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-dataleak?INTCMP=ILCNETTXT3487 [Accessed April 2012]. Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach [Online]. Available from: http://venturebeat.com/2011/09/22/security-lessons-fromthe-playstation-network-breach/ [Accessed April 2012].

Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from: http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-onlineencryption-method.html?pagewanted=all [Accessed April 2012].

Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Available from: http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4838c-4cfd-b915Page | 9

9a6091edff44%40sessionmgr14&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#db=bth&A N=65258326 [Accessed April 2012].

OBrien, C. 2011. Sonys PlayStation network hacked [Online]. Available from: http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April 2012]. Rao, Lenna, 2011 J.P. Morgan: Global E-Commerce Revenue To Grow By 19 Percent In 2011 To $680B TechCrunch [Online]http://techcrunch.com/2011/01/03/j-pmorgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/

Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony [Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-LackedFirewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].

Stuart, K. 2011. PlayStation 3 hack how it happened and what it means [Online]. Available from: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hackps3?intcmp=239 [Accessed April 2012].

Takahashi, D. 2011. Will PlayStation Networks improved security be good enough? [Online]. Available from: http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-begood-enough/ [Accessed April 2012]. Sonys Response to the U.S. House of Representatives, 04 May, 2011, Posted by Patrick Seybold Sr. Director, Corporate Communications & Social Media, PlayStation Blog, URL: http://blog.us.playstation.com/2011/05/04/sonysresponse-to-the-u-s-house-of-representatives/ Philip R. Reitinger is Named Senior Vice President and Chief Inofmation Security Officer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL: http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.html Terms of Service, Sony Entertainment Network, URL: www.sonyentertainmentnetwork.com/terms-of-service/

Page | 10