Wednesday, 27 April 2011

No Credit to Sony

Eiko and her credit cardI hate to say it but I was right: Sony proved out to be the most incompetent company ever when it comes to the handling of its customers’ personal details. This is the result of today’s announcements that the personal details of 77 million PlayStation Network customers, yours truly included, have been compromised. The breach included the names, addresses, dates of birth and passwords(!); at this stage it is unclear whether credit card numbers have been stolen but Sony advises customers to contact their financial institutions. I already did; I spent the morning and the better parts of my night blocking my card and redirecting direct debits, and I still have a long way to go.
You can read more about this through the BBC here, Wall Street Journal here, and ars technica here.

The first question that pops into my head is why did Sony wait for ten days before announcing the breach. We now know the damage was done on 17 April; the PlayStation Network (PSN) has been down for six days already, so obviously Sony knew something is going on. Yet only today, 27 April, did it bother coming out of the darkness to tell us what’s going on. Those that stole our details could have had some major festivities with them by now.
My next question is how come Sony has been storing passwords in the clear, without some form on encryption applied. This is not just malpractice; I suspect it’s also against the law.
The next question that comes to mind is what makes organizations as big as Sony think they are capable of safely managing their customers’ details. Again and again this assumption of “I’m big therefore I can do it” turns out to be wrong. Whether it’s the government (how often did the British government lose private information over the past few years?), Vodafone or now Sony, it is clear that organizations are cutting corners when it comes to the storage of personal info. It is clear they are incapable of the task.
Which leads to my next question: why, oh why, does Sony need to store my personal details in the first place? In Australia, an address and a date of birth is all one needs to steal my identity and do various tasks ranging from dealing with utility companies to health care and insurance, not to mention simple banking transactions. Why does Sony need to maintain such potent information in order to run a network of f*cking video games?
Note Sony does not have to deal with private information to sell us stuff. It can, for example, let the banks deal with the financial aspects of the transactions. All major banks offer such online facilities, but Sony wouldn't want to use these, do they? After all, the banks take a cut that Sony can keep to itself.
Needless to say, Sony is not alone. Apple has my credit card details and I know they use them to identify me when I bought a keyboard from an Apple shop (my name and address were on the invoice after the only thing I gave the cashier was my credit card). Amazon has also been storing my credit card details for fifteen years now. Who, then, is going to be the next conglomerate to fail me?
In contrast, PayPal has been holding my credit card details too. They, however, actually do need them; PayPal’s entire service is built around only them knowing what my personal info is.

Less than two weeks ago I explained how I prefer to buy my online books from companies that do not store my personal information (here). Sadly, today I received more than enough evidence to prove my paranoia is entirely justified.


P.S.
As if putting out fire with gasoline: I only had to wait a couple of hours after reading about Sony’s privacy breach before learning of a new one. This time it’s Borders that had its customers' private information stolen from them (read here).
I don’t think we need to hold our breath for something to happen here. Privacy related legislation is so lax, and politicians are so in the pocket of big companies, we are guaranteed this charade will go on and on.

Image by eikootje, Creative Commons license

No comments: