Ran Zhang
Programme:
MECB1 - MSc in Electronic Commerce Risk Management & Regulation in e-Commerce Assignment: Focus on Sony IS510 Jack Nagle 27-APR-2012
Project Title:
Declaration I the undersigned declare that the project material, which I now submit, is my own work. Any assistance received by way of borrowing from the work of others has been cited and acknowledged within the work. I make this declaration in the knowledge that a breach of the rules pertaining to project submission may carry serious consequences. I am aware that the project will not be accepted unless this form has been handed in along with the project.
Page | 1
Page | 2
TABLE OF CONTENTS
DCU Business School Assignment Submission .............................................................. 1 Introduction ............................................................................................................................ 4 Company Overview ............................................................................................................... 4 PSN Data Collection ........................................................................................................... 4 High Profile Data Breach Incident ..................................................................................... 5 Why it happened ................................................................................................................. 5 Sonys Immediate Response .............................................................................................. 6 Policies Introduced as a Result ......................................................................................... 7 Any Recent Scandal ............................................................................................................ 7 Vulnerabilities in Legislation.............................................................................................. 7 Conclusions ............................................................................................................................. 9 References/Literature ............................................................................................................ 9
Page | 3
INTRODUCTION
It is anticipated that global e-commerce revenue will hit $963 billion by 2013, with predicted growth of 19% annually (Rao, L., 2011). This growth will undoubtedly see more consumers handing over personal financial data. With frequent high profile online security breaches jeopardising consumers information, the focus must be on what measures companies are taking to secure this data and what legislation exists to place obligations on commercial entities to meet acceptable standards of online security. This report will explore the high profile security breach of Sonys Playstation Network (PSN) that led to millions of users personal and financial information being exposed. Focus will be placed on what occurred in the aftermath, analysing Sonys response. An analysis will also be made of the damage if any that was done to the companys corporate reputation, and the measures that have been brought about to negate any damage done to the brands reputation and avoid such a scenario arising again. Finally, there will be a discussion as to the role of legislation in defining Sonys legal responsibility with respect to this incident.
COMPANY OVERVIEW
Sony needs little introduction as one of the worlds leading digital entertainment brands, with a large portfolio of multimedia content. A key focus for Sony is its gaming division, Sony Computer Entertainment, a major video game company specializing in a variety of areas in the video game industry which is the focus of this report. The PlayStation Network (PSN) is an online multiplayer gaming digital media delivery service, in order to use the service users are required to create an account.
Name Address Country E-mail address Date of Birth PSN password and login name
Apart from this profile data, additional information is compiled internally including purchase history and billing address, the security question answers to users accounts.
WHY IT HAPPENED
The attack on the Sony PlayStation Network was enabled by the lack of a random number in the algorithm utilised by the security system therein. This ultimately allowed the secret key used for the protection of digital content on the system to be discovered. This was a crucial mistake for Sony to make (Markoff, 2012). The
security practices in place in Sony also left much to be desired. The company failed to protect the networks by using firewalls. Sony was also using Web applications Page | 5
that were obsolete, making the company sites attractive targets for hacking activity. Outdated versions of the Apache Web server were in use and there were no patches applied on the PlayStation network. There was no firewall running on the PlayStation network servers (Rashid, 2011). Within the Sony organisation, at board level, there were also problems and failings. There existed organisational complexity and a lack of adequate support for security. It is not known exactly what security measures Sony had in place prior to the breach. However, organisational complacency also played a role in the PlayStation Network attacks. Security entails more than adequate software and encryption; all aspects of the company require involvement; people, processes and technology. (Boyd and Thomas, 2011).
VULNERABILITIES IN LEGISLATION
European Regulations
Page | 7
In Europe, security breaches of this nature fall under data protection and privacy regulation which the European Commission leaves to each EU member state unlike Europes antitrust regulation, which is centralised. In the aftermath of Sonys breach, a number of European countries launched independent investigations The power of this centralised approach means that and the European Commission has the power to issue multibillion euro fines to companies found in breach, which it has successfully done in the past to companies like Microsoft and Intel. In the United Kingdom, the Information Commissioners Office (ICO), which has the power to fine Sony up to 500,000 if it finds that individuals were seriously affected. However, one year on from the breach a decision on whether Sony will be fined will not be due until early May 2012 according to the ICO website. In Ireland, the Data Protection commissioner contacted Sony Ireland and requested the company to prepare a full report disclosing the risk posed to its Irish customers. The fact that Irish regulation did not require the data protection commissioner to launch an independent investigation (despite the nature of the high profile breach) indicates vulnerability in Irish data protection regulation. Sony was never ordered to pay a fine in Ireland and despite investigations in countries including Spain, France, Germany and the Czech Republic, no country has yet to issue a fine. Although, there are European member states that would be unwilling to relinquish control of their data protection regulations, it must be highlighted that the lack of centralisation means that serious security breaches involving consumer data are occurring without any damaging financial penalties being imposed on the company. With little implications or consequences in place for breaches of this magnitude, it could be argued that as a result there is also little motivation for companies to invest heavily in security and policies that would protect their consumer data. This breach ignited new discussions in Europe regarding the extension of current data protection laws beyond the telecommunications industry. These laws, known as the E-Privacy Directive, currently affect the telecommunication industry and require telecom networks in the EU to make a swift, mandatory disclosure about Page | 8
a data breach. If the proposed extension to the directive is made, Matthew Newman ,a spokesman for the EU Justice Commissioner was quoted as saying they will modernize rules dating from 1995, and could expand to e-banking, online shopping or the personal data field
CONCLUSIONS
The Sony case has taught different people many lessons. For our interest in risks and how they relate to consumer information and data breaches this remains is an important case to study. The terms of a companies duty to disclose has been more closely scrunitized by regulators worldwide given the large fraud related concerns. This was primarily due to Sonys poor response to inquiries during the crisis. More lenient legal contructs (like Californias) regarding obligations to inform customers and clients of data breaches have become more noticably in of reform for consumer and fraud pertection. However, what is actually changes at the American federal and European intergovermental level are still up in the air.
REFERENCES/LITERATURE
Arthur C. and Stuart, K. 2011. PlayStation Network users fear identity theft after major data leak [Online]. Available from: http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-theft-dataleak?INTCMP=ILCNETTXT3487 [Accessed April 2012]. Boyd C. and Thomas S. 2011. Security lessons from the PlayStation Network breach [Online]. Available from: http://venturebeat.com/2011/09/22/security-lessons-fromthe-playstation-network-breach/ [Accessed April 2012].
Markoff, J. 2012. Flaw Found in an Online Encryption Method [Online]. Available from: http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-onlineencryption-method.html?pagewanted=all [Accessed April 2012].
Noer, M. 2011. Sony Response to PlayStation Security Breach Abysmal [Online]. Available from: http://web.ebscohost.com.remote.library.dcu.ie/ehost/detail?vid=3&hid=19&sid=8911fbf4838c-4cfd-b915Page | 9
OBrien, C. 2011. Sonys PlayStation network hacked [Online]. Available from: http://www.irishtimes.com/newspaper/breaking/2011/0427/breaking2.html [Accessed April 2012]. Rao, Lenna, 2011 J.P. Morgan: Global E-Commerce Revenue To Grow By 19 Percent In 2011 To $680B TechCrunch [Online]http://techcrunch.com/2011/01/03/j-pmorgan-global-e-commerce-revenue-to-grow-by-19-percent-in-2011-to-680b/
Rashid, F.Y. 2011. Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony [Online]. Available from: http://www.eweek.com/c/a/Security/Sony-Networks-LackedFirewall-Ran-Obsolete-Software-Testimony-103450/ [Accessed April 2012].
Stuart, K. 2011. PlayStation 3 hack how it happened and what it means [Online]. Available from: http://www.guardian.co.uk/technology/gamesblog/2011/jan/07/playstation-3-hackps3?intcmp=239 [Accessed April 2012].
Takahashi, D. 2011. Will PlayStation Networks improved security be good enough? [Online]. Available from: http://venturebeat.com/2011/05/14/will-the-improved-security-for-playstation-network-begood-enough/ [Accessed April 2012]. Sonys Response to the U.S. House of Representatives, 04 May, 2011, Posted by Patrick Seybold Sr. Director, Corporate Communications & Social Media, PlayStation Blog, URL: http://blog.us.playstation.com/2011/05/04/sonysresponse-to-the-u-s-house-of-representatives/ Philip R. Reitinger is Named Senior Vice President and Chief Inofmation Security Officer, Sony Corporation, Sony Corp. Info., News Releases, September 6, 2011, URL: http://www.sony.net/SonyInfo/News/Press/201109/11-109E/index.html Terms of Service, Sony Entertainment Network, URL: www.sonyentertainmentnetwork.com/terms-of-service/
Page | 10