Sony Corp. announcement this week that the personal information of tens of millions of customers may have been stolen isn't just a black eye for the company or a security problem for consumers. The massive breach could have much wider security implications, and may cause corporations to rethink their desire to collect as much information from users as possible.
Sony revealed on Tuesday that hackers managed to break into databases that contain personal information associated with 77 million user accounts on the company's popular PlayStation Network - an online portal that lets the users of Sony's PlayStation game console do everything from socialize to purchase games and movies. Among the information the hackers accessed were names, addresses, birth dates and e-mail addresses. Sony could not say for certain whether the hackers also managed to get their hands on credit card numbers associated with the accounts.
As problematic as the data breach itself is the extent to which criminals can now use the information gained to launch even more attacks. For example, malicious hackers could send out mass e-mails purporting to be from Sony and asking users to open an attachment in order to reset their PlayStation account information.
The attachment could contain malicious code, known as malware, that would effectively take control of a user's computer. Those infected machines could, in turn, be turned into a powerful supercomputer, known as a botnet, which could then be used in further attacks by hackers.
"The thing that I would do is send a grovelling e-mail message [pretending to be]from Sony saying … 'to get back on the network, please fill in the attached form,' and I'd make sure there was some malware in the form," said David Skillicorn, a professor at the Queen's University School of Computing. "I would have a huge botnet by tomorrow morning."
Sony first suffered a data breach between April 17 and 19, but didn't inform users until Tuesday, because the company did immediately realize the full extent of the intrusion. Since the first attack, Sony has shut down access to its PlayStation Network, meaning users cannot play certain games online or download anything from the company's virtual store.
But the far more important concern for most Sony customers is whether the hackers managed to get a hold of credit card numbers during the attack - something Sony has not yet confirmed.
In response to a question on Wednesday from the Globe and Mail, Sony would not say whether the company stored customer credit card numbers in an unencrypted format, which would make them immediately decipherable by anyone who had access to the data.
The massive data breach - which Prof. Skillicorn says is among the five biggest such intrusions in the past decade - comes at a time when consumer privacy in the digital world is coming under intense scrutiny. Apple is currently under fire for the amount of location information its mobile devices store, as well as the length of time such data is kept on file. Critics claim the data could easily be used to track a person's movements over time periods as long as a year.
A few weeks earlier, Epsilon, the world's largest e-mail marketer, said it had suffered a data breach. As a result, hackers may have obtained millions of customer e-mail addresses.
Sony's data breach affected more than one million Canadian customers, the company said yesterday. The federal privacy commissioner is now also looking for answers.
"Sony did not notify our office of the breach," spokeswoman Valerie Lawton said in an e-mail. "We are currently looking into this matter and are seeking information from Sony. We will determine next steps once we have a full understanding of the incident."
In recent years, companies ranging from Sony to Facebook have offered otherwise free services to users in exchange for personal information. In some cases, that kind of information is especially useful because it can be used to figure out what products certain people are most likely to buy, and to aim marketing dollars at very specific demographics. However, some companies have come under fire for unnecessarily collecting such data.
Some Sony PlayStation users were asked to create PlayStation Network accounts even if they didn't intend to use the company's on-line services. In the wake of this month's data breach, it is likely that Sony and other companies will look to impose tighter limits - as well as better security - on their data collection.
"Clearly, Sony will have to change things pretty dramatically," Prof. Skillicorn said. "The question is going to be how they'll recover from this, at least until people forget about it."