Settlement appears imminent in an employee class action against Sony Pictures Entertainment (“SPE”) arising from disclosure of their personally identifiable information (“PII”) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. A stipulation filed earlier this week by plaintiffs and SPE notified the court of the imminent settlement. Terms of the settlement are as yet undeclared, but will become known on or before October 19, the deadline set in the stipulation for filing a motion for preliminary approval of the settlement. Any classwide settlement will be subject to court approval after notice to members of the proposed class, who will have the right to object or to opt out of the settlement entirely. Continue Reading Sony: Stipulation Announces (but does not disclose) Employee Data Breach Class Settlement
Written by Jonathan Ursprung
With the holiday season in full swing, many of us are struggling with that age-old question: “what do you get for the person who has everything?” Well, if that person happens to be your supreme leader, the answer may very well be “a massive download of electronic dirty laundry on their sworn enemy”.
In late November of this year, the disturbing outline began to form of a massive data breach at Sony Pictures. Early indications suggested that the perpetrators may have been acting on behalf of, or to curry favor with, Kim Jong-un of North Korea; Sony Pictures had been promoting its upcoming film “The Interview”, which features a fictional assassination plot targeting the head of state. While North Korea has since denied involvement, the possibility that state-sponsored hackers had carried out this attack was both credible and, ultimately, unsurprising. Continue Reading On the Sixth Day of Privacy, the hackers gave to Sony……
Welcome to December – we hope you had a restful and enjoyable Thanksgiving holiday.
Here are a few privacy bits and bytes to start your week.
1. ICYMI – 60 Minutes Explains Credit Card Hacking
In preparation for Cyber Monday, 60 Minutes presented a well-researched and interesting story on
credit card hacking. For privacy and security professionals, it may be old news, but as a consciousness-raising and mainstream piece of reporting, it is first-rate. Some points:
- From the time of intrusion into a system, the average time to detection of the bad guys is a “whopping 229 days.”
- 80 percent of breaches involve stolen or weak passwords. The most common — “123456” (Hey, it meets the minimum requirements of 6 characters!)
- “Detect it sooner. Respond sooner.”
One would expect that corporate Chief Information Officers (CIO), Chief Information Security Officers (CISO) and General Counsels/Chief Legal Officers have a lot to talk about these days including data privacy, breach response, network security assessments, e-discovery, BYOD policies and cloud computing security risks. However, a recent Gartner survey of CLOs found that over half of them have conversations with the CIOs no more than once a month.
Take some time to view a free webinar discussing how CIO/CISOs and CLOs can (and should) collaborate to overcome the obstacles to effective cyber risk management including:
- Risk mitigation options
- Planning for the best, expecting the worst
Written by Sue Foster, Mintz Levin – London
The UK Information Commissioner’s Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see here, here, and here) which hackers gained access to personal data (including credit card information) of over 77 million users.
For a company of Sony’s size, £250,000 is a hand-slap — and Sony’s announcement that it will appeal the fine is surely based on a matter of principle (or a desire to avoid a bad precedent) rather than a purely economic decision.
But what would Sony’s fine have been under the proposed new EU Data Protection Regulation?
Two percent of Sony’s worldwide turnover.
I’m not sure how much that is, but it’s a lot more than £250,000.
How exactly would the ICO be able to arrive at a fine equal to two percent of Sony’s worldwide turnover under the draft Regulation?
Article 79 of the draft Regulation provides for fines of up to 2% of an enterprise’s worldwide turnover in the event of a serious violation of the Regulation. Article 79 expressly calls out violations of Article 30, which requires data controllers and processors to implement “appropriate organizational and technical measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”
The substance of Article 79 is already law. The ICO determined that Sony failed to take appropriate technical measures to protect the personal data of its users because Sony could have updated its software and prevented the breach.
Today, that costs £250,000. But in two years, it may cost much, much more.
There have been hundreds of articles written in the past week on the Sony Playstation Network breaches. Cynthia Larose, chair of Mintz Levin’s Privacy and Data Security practice, has been quoted in several articles over the weekend, including The Wall Street Journal [registration may be required], Reuters, and The Chicago Tribune.
In The Wall Street Journal, Larose said,
Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries” rank these data breaches “at the top.”
We’ve had the Epsilon breach. We’ve had Sony Breach One and Sony Breach Two. Today, Bloomberg News reports on a breach that may be, as one security expert in the article calls it, “the nastiest password hack in history….” LastPass is reporting that hackers may have broken into its database and stolen info on as many as 1.25 million users.
LastPass is a company whose entire business model is built around safeguarding and simplifying users online passwords. Users subscribe to the service to create a single sign-on password with advertised “enhanced security features” to access their entire online persona — banking, shopping, or any other secure site requiring a password. In fact, their slogan is “The Last Password You’ll Ever Need.” The company has posed a notice on its site telling people “not to panic” but to change their master password. The servers appear to be overloaded and customer support is tweeting “I assure you, your data is secure…”
Written by Julia Siripurapu
Yesterday, in a Customer Service Notification posted on its website, Sony Online Entertainment LLC (“SOE”) based in San Diego, California revealed that its systems were also the subject of a hacking attack. Sony Corporation and Sony Computer Entertainment announced in a press release issued this morning, that based on their ongoing investigations into the incident, the hacking attack of the SOE systems took place on April 16 and 17th and resulted in the unauthorized access to the personal information (name, address, e-mail address, birth date, gender, phone number, login name, and hashed password) of approximately 24.6 million SOE customers as well as approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes) and 10,700 direct debit records (bank account number, customer name, account name, and customer address) of SOE customers in Austria, Germany, Netherlands and Spain from an outdated database from 2007.
Add these records with the totals of last week’s PlayStation Network breach , and the number of Sony customers whose personal information has now been compromised is over 100 million –easily making this one of (if not the largest) data breach in history.
On Capitol Hill, the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing tomorrow titled “The Threat of Data Theft to American Consumers” to “examine risks related to data breaches, the state of ongoing investigations, current industry data security practices, and available technology” and representatives from the Federal Trade Commission, U.S. Secret Service, the Center for Democracy and Technology, and Purdue University are expected to testify at the hearing (see hearing Background Memo). While Sony declined to testify at this hearing, it has agreed to submit answers to the Subcommittee’s questions about the PlayStation Network cyber attack by end of business today.
Update on the breach that exposed the information on 77 million users of Sony’s PlayStation Network:
Kevin Poulsen, a writer for Wired Magazine‘s excellent blog, Threat Level, reports that Sony says that credit card numbers potentially stolen in the breach were encrypted. Poulsen quotes Sony, writing:
All of the data was protected, and access was restricted both physically and through the perimeter and security of the network,” Sony wrote in a blog post.
The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
If you want to keep up with the technical and back-story side of this massive breach, Kevin’s reporting is top-notch.
There are many articles (see links below) being written and blogged today regarding the PSN breach. The Hill reports this afternoon that Representative Mary Bono Mack (R-CA) has announced a plan to introduce legislation to protect online consumer information. Bono Mack, as Chairman of the Energy and Commerce Trade Subcommittee, said that they will be investigating the PSN breach.
Further reading –
CNET suggests in its article that legal recourse could prove difficult due to language in Sony’s terms of service.
ComputerWorld – Sony breach caused by poor security
ComputerWorld Australia – Privacy Commissioner to begin investigation
Radio New Zealand – New Zealand’s Privacy Commissioner urges PSN users to be vigilant
Written by Julia Siripurapu
Sony Corp. has acknowledged on its PlayStation website that between April 17 and April 19, its PlayStation and Qriocity networks were the subject of a hacking attack. As a result of this attack, the personal information, including name, address, email address, birth date, passwords, security question answers, and credit card data, of Sony’s PlayStation Network and Qriocity networked game services estimated 77 million users is believed to have been compromised, making this the largest data breach to date.
Sony’s delay in confirming the attack and notifying users of the data breach has been widely criticized by the user base and the media. In fact, the first class action against Sony was filed yesterday in the U.S. District Court for the Northern District of California in San Francisco on behalf of user Kristopher Johns on grounds of breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information.
The incident, characterized as a “catastrophic failure” by the New York Times , has also received attention from legislators. On Tuesday, Sen. Richard Blumenthal (D-Conn), in a letter to Sony , questioned the company’s delay of nearly a week to notify users about the attack and the breach of their personal information. Given the recent rise in data breaches and Congress’ focus on privacy legislation it is very likely that this incident is also already on the radar of other legislators, the Federal Trade Commission and state attorney generals.
Sony is not only under the microscope from U.S. legislators and regulators, the UK’s Information Commissioner’s Office told DataGuidance today that it has contacted Sony and will be making further enquiries to establish the precise nature of the [data breach] before decided what action, if any, needs to be taken.
Stay tuned for updates!