This week just keeps getting worse for Sony. After shutting down the PlayStation Network for over a week, the company announced yesterday that users' information (possibly even credit card data) may have been swiped by an unknown assailant. Since that time, Sony has come under deep criticism from the gaming community, with many questioning how long the company was actually aware of the breach. Now, government representatives from both the United States and the United Kingdom are actively seeking answers into what went wrong.
Connecticut Senator Richard Blumenthal has sent a letter to Sony Computer Entertainment America CEO Jack Tretton, asking for answers in regards to the data leak. Primarily, Blumenthal's letter shows concern over the amount of time it took Sony to notify users of the security breach.
"When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised," Blumenthal's letter states. "Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft."
The speed with which Sony gave notice of possible credit data theft is a bit suspect. On April 19th, the company shut the PlayStation Network service down, citing an "external intrusion." After that -- silence. With little to no new information from Sony over the following days, those with sensitive information on their PlayStation accounts were forced to sit and wait. So, when Sony finally announced that some user information may have been swiped, many were left with the obvious question: could Sony really have just discovered today that credit card data may have been endangered by the breach?
That's exactly what the UK's Information Commissioner Office, a government agency who seeks to uphold information rights and data privacy, would like to find out. The ICO says it's looking in to whether or not Sony was doing enough to protect sensitive user information, and if the company notified the public in a timely manner.
""The Information Commissioner's Office takes data protection breaches extremely seriously," the group told Eurogamer this morning. "Any business or organization that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure."
Sony has insisted that they were not previously aware that card data was stolen, and made the announcement as soon as possible. Either way, this situation is a public relations nightmare for the PlayStation brand. Like many gamers, I spent the afternoon yesterday changing all of my passwords and getting a new debit card (that takes a week to arrive). I would like to think Sony notified us as soon as possible, but it's hard to believe that a company with over 75 million users didn't believe credit card data was in danger after an "external intrusion."
We'll keep you up to date as the story unfolds.