Over the past few weeks there has been a lot of complaint and speculation about the significant compromises of the Sony PlayStation Network (PSN), Qriosity and Sony Online Entertainment (SOE) affecting over 100 million accounts. I don’t know all the facts, as they are still emerging, but I have a few general views:
1. Be prepared
Ensure that you have an effective communications plan, which you can enact quickly. Sony and Apple have recently both been castigated for their time to both acknowledge and respond to issues. People shouldn’t expect answers immediately, but they would like to know that you’re actively addressing the situation.
Have a forensic readiness plan, retaining technical and investigative expertise as required. This will help minimise contamination of evidence whilst controlling the incident - essential if you want to know how they got in, what they did, what trail they left. Without this, you have no realistic chance for a successful prosecution.
2. Treat customer data as your own
It’s one thing to spend lots of effort in protecting your information with DRM, DMCA takedown notices, rootkits, and legal threats & proceedings and another to leave personal data such as e-mail addresses, phone numbers and passwords in the clear. Just encrypting credit card data, to get your PCI-DSS tick in the box, is not enough.
Validated email addresses have value to spammers, real names help phishers, dates of birth help facilitate identity fraud, password reuse is big with users leading to further compromises. Learn from other attacks, such as on Epsilon and Gawker. Governments looking to spy on dissidents have targeted Facebook and Gmail.
If it is popular, expect it to be targeted and hacked. Build your platform to minimise impact.
3. Expect legal and regulatory fallout
In our interconnected world, there is a raft of jurisdictionally specific (and sometimes conflicting) legal and regulatory requirements that large online services need to be aware of and compliant with, including ones covering data breach notifications and privacy of personal and financial data. Investigations may ensue.
Fines may be imposed by data protection and financial regulators, and individual or class action suits may be brought. These could be anywhere you are considered to operate your service. The Sony and Hotz ‘PS3 hacking’ case demonstrated this can be a complex and fraught process. Make sure you have access to a great legal team.
This hacking incident may have brought some positives in that Sony has now learnt some of the above lessons, and has a new Chief Information Security Officer (CISO) role that, hopefully, has the remit to improve security and privacy practices, and the PSN users have gone outside to enjoy the spring sunshine.
Gareth Niblett is the Chairman of the BCS Information Security Specialist Group.