Loss of Privacy

From Help Net Security:

After having disclosed the extent of the employees’ information stolen in the recent hack to the California Attorney General’s Office, Sony Pictures Entertainment (SPE) has sent out an email to the affected workers, outlining the scope of the potential damage the “brazen cyber attack” might bring to them personally.

“Although SPE is in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security Number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information,” the letter described.

Download (PDF, 149KB)

Earlier this year, Sony had its Playstation Network (PSN) hacked and it was down for more than a month. Several users brought a class-action lawsuit against Sony and, now, Sony is fighting back. The PSN now has a mandatory upgrade for all users in which part of the TOS forces the user to give up their rights to ever suing Sony again. Sony has gone so far as to suggest that anyone refusing to upgrade will be banned from PSN.

This is Sony’s blatant attempt to remove any responsibility on their part if or when their servers are hacked again. Considering the fact that not only were user names and passwords compromised, but so were credit cards and personal information of its PSN members, Sony should not be allowed to modify its user agreement to get out of paying any legal damages. Unfortunately, it appears that the Supreme Court might side with Sony on this one as they have ruled that a company could force you into, at the very least, arbitration. Note that Canada may already have a law on the books making Section 15 of the new EULA from Sony illegal.

What most users don’t know is that there may be an option to opt out.

It is, however, possible to opt out of the agreement within the next 30 days.

Gamers will now have to try to resolve any legal issues with an arbitrator picked by Sony, before being able to file a lawsuit.

Section 15 of the new EULA describes how this can happen.

RIGHT TO OPT OUT OF BINDING ARBITRATION AND CLASS ACTION WAIVER WITHIN 30 DAYS. IF YOU DO NOT WISH TO BE BOUND BY THE BINDING ARBITRATION AND CLASS ACTION WAIVER IN THIS SECTION 15, YOU MUST NOTIFY SNEI IN WRITING WITHIN 30 DAYS OF THE DATE THAT YOU ACCEPT THIS AGREEMENT. YOUR WRITTEN NOTIFICATION MUST BE MAILED TO 6080 CENTER DRIVE, 10 TH FLOOR, LOS ANGELES, CA 90045, ATTN: LEGAL DEPARTMENT/ARBITRATION AND MUST INCLUDE: (1) YOUR NAME, (2) YOUR ADDRESS, (3) YOUR PSN ACCOUNT NUMBER, IF YOU HAVE ONE, AND (4) A CLEAR STATEMENT THAT YOU DO NOT WISH TO RESOLVE DISPUTES WITH ANY SONY ENTITY THROUGH ARBITRATION.

Make sure you remember to write to them via snail mail and keep a copy of your tracking number and receipt for the letter. You can view Section 15 here [pdf] . You can fill out a form letter here.

Sony has mad the news over the last 4-5 weeks for all the wrong reasons. If you would like to see the detailed list of how many times they’ve been hacked, just head over to Absolute Sownage and read all about it.

The most disgusting part of all this is that Sony stored the passwords of its users in plain text. It’s absolutely pathetic that a corporation as big as Sony can’t even get the basics of security right.

the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of website URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven website—but what makes this hack even worse is the data that has been compromised.

The fact that anyone who can read a database can read the plain text passwords is just the tip of the iceberg. Sony has no excuse for not fixing or patching their systems to prevent well-known SQL injections.

Sony customers are also going to suffer. Many reuse passwords on other sites and many of Sony’s compromised accounts included real name, address, and phone number. Until people take security seriously on the individual and corporate sides, things will only get worse.

It also gives another reason for me to stay away from online gaming and to continue to use multiple passwords online.