Sony faces legal action over attack on PlayStation network


Rik Ferguson is both a PlayStation user and a computer security expert and spoke to the BBC's Rory Cellan-Jones about what the breach means for gamers

Related Stories

A lawsuit has been filed in the US against Sony over the hack of its PlayStation Network.

The legal action by a PSN user claims Sony did not do enough to protect the private data of its customers.

It also asks for compensation and for Sony to pay for credit card monitoring to spot if stolen details are being used fraudulently.

At the same time, the attorney generals for four US states have begun looking into the attack.

Credit fraud

The scale of the security breach suffered by the PlayStation Network (PSN) became apparent on 27 April.

In a statement posted on the official PlayStation blog, the company said user account information for the PlayStation Network and Qriocity services had been compromised following an "illegal and unauthorized intrusion into our network".

The company posted an apology for the security breach and ongoing disruption to the PSN and Qriocity services.

Woman walking on PlayStation logo, Reuters Sony said the PSN would only be fully restored once it was sure it was secure

Personal information including name, address, e-mail address, login details for PSN and Qriocity was taken. Also, said Sony, although credit card data was encrypted and there was no evidence it was stolen, the theft of the data could not be ruled out.

The blog posting warned users to look out for attempted telephone and e-mail scams that use stolen information to lend them credibility. About 77 million people are thought to have been affected by the attack.

Technology news site Ars Technica said it had been contacted by many readers who said the credit card they used for the PSN had been used fraudulently recently.

Ars Technica reporter Ben Kuchera said it was hard to confirm if the problems were related to the PSN attack, adding: "We may be dealing with a coincidence in timing."

Court case

On 27 April, a lawsuit was filed in California on behalf of Alabama resident Kristopher Johns, accusing Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users".

Law firm Rothken is seeking damages for its client.

In a separate move, attorneys general from Iowa, Connecticut, Florida and Massachusetts said they had started investigations into the PSN hack.

The UK Information Commissioner Christopher Graham, is also considering taking action over the case.

Speaking on BBC Radio 4's "You and Yours" programme, he said it looked like "a very significant breach of data protection law".

The Information Commissioner's Office (ICO) has the power to impose fines of up to £500,000.

His ability to take action ultimately depended on whether PSN data was stored in the UK - something he was still trying to establish.

Technology Correspondent Rory Cellan-Jones on Sony's statement

The theft of so much detailed customer data would be seen as a "public relations disaster", according to Graham Cluley, senior technology consultant at security firm Sophos.

"This is a big one," he told BBC News.

"The PlayStation Network is a real consumer product. It is in lots of homes all over the world.

"The impact of this could be much greater than your typical internet hack."

Mr Cluley warned that, even without credit card details, the information taken was enough to help criminals carry out further attacks on other services.

"Some people will use the same passwords on other sites. If I was a hacker right now, I would be taking those e-mail addresses and trying those passwords," he said.

PlayStation users got their first indication that something was wrong with the service when it became unavailable on Wednesday 20 April.

In the following days, Sony issued three brief statements asking users to be patient while it investigated an "external intrusion", or hack.

The Sony PlayStation Network remains unavailable to users. The company has not said when full service will be restored.

On its blog it said it might be a week or more before some elements returned. However, it added, the system would not be turned back on until it was happy it was secure.

As part of its efforts to beef up security and ensure the network is not compromised again, Sony said it was going to move the PSN infrastructure to a new more secure location.


More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 51.

    This goes to show why you should not put your true date of birth into any site other than those who truly need it, such as insurance. Your name and date of birth together is probably unique: don't let people misuse that code.

  • rate this

    Comment number 33.

    As a software engineer I find myself shocked that Sony did not encrypt account information. This entire situation should never have happened, it's the equivalent of leaving a bank vault door open! Personal information should never be stored in plain text.

    I don't know how a company so big with a database of millions could take such risks.

  • rate this

    Comment number 12.

    I haven't been able to get online but hey ho, it means I've enjoyed the sunshine. Now I'm a bit worried that all that data was stolen? Surely Sony should be able to protect data better than that? Very disappointed in Sony.

  • rate this

    Comment number 8.

    I use the playstation network a lot and while it is worrying that information has been stolen I think this case highlights the insecurity of technology and people need to be aware this can happen to anyone who has details stored by any company electronically that is connected to a network.

    Although hopefully Sony will have improved security now against similar attacks it may face in future.


More Technology stories



Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.