Skip to main content

PSN: The Security Scandal

"One of the biggest security breaches of the internet age."

Two years ago, I was a victim of identity theft: someone contacted my bank, changed my address and managed to get a brand new credit card dispatched to a place I'd never heard of. I was lucky in that either the fraudster or the bank made a mistake on the new address and the card was delivered to a good Samaritan who handed it in at their local branch. From there, the alarm was raised.

This is quite an impressive achievement on the part of the fraudsters, presumably operating with the most basic of information derived from the electoral roll. The compromised card was basically dormant and had only been used for zero per cent credit card tarting. The fact that I wasn't even in the country for months during that period made the feat even more unbelievable. Social engineering, based on my UK address, was eventually blamed by the bank when I pressed for answers.

In short, bad things can happen using just snippets of the kind of information stolen from the PSN servers. The question now is: just how much does Sony know about us over and above what it has already revealed? Has this data been compromised too? In the wake of this "external intrusion", just how much should we trust any of the console platform holders with any kind of personal information?

The chances are that Sony knows a lot more about us than it is letting on. It's been something of an open secret for months now that every time you log into the PlayStation Network or even access the internet, the console "phones home" a wealth of information based on your interactions with it. While this info is nowhere near as sensitive as the PSN sign-in details, Sony really does have to come clean on the amount of personal data it is acquiring from us, especially if there is any hint that this information has been compromised.

Intercepted logs from the PS3 reveal that the games you play and how long you played them for are part of the information being sent, but the hackers suggest that a lot more data is being extracted from your console: the digital IDs of every USB and HDMI device you attach, just for starters. But with completely unfettered access, what else would Sony like to know? A list of the DVDs and Blu-rays we've played on the system perhaps?

Information on the make-up of your PS3's hard drive has almost certainly been sent back to Sony HQ. The presence of pirate data was one of the detection techniques Sony used in banning a wave of PS3 jailbreakers earlier this year. It's difficult to take issue with moves like this that seek to secure the network, but the logical question to ask in the wake of this concerns the nature of the HDD scan and what Sony did with the data. Having read through the exhaustive PlayStation Network terms of service, no mention is made of this kind of information being transmitted back to Sony at all. Consumers are being left in the dark.

In the interests of balance, there is evidence that Microsoft operates on the same principles, at least to a certain extent. For example, how else were Epic able to comment on how many of its 360 users were still using standard def TVs unless it were derived from data mined via Xbox LIVE usage?

The bottom line is this: whatever information Sony has tied to our personal accounts – no matter how insignificant – should be divulged if there is even the most remote suspicion that it has been compromised. Any kind of link between different datasets that may have been hacked should also be revealed: if usage patterns are linked to a specific console ID, and PSN accounts are linked to that same console ID, we deserve to be told.

In the wake of this security breach, the whole relationship between console manufacturers and what information they take from us without our knowledge needs to questioned. Parallels should be drawn to computer operating systems, where there would be consumer outrage and legal suits pending were Microsoft or Apple continually phoning home with information on how we are interacting with their products. If this data has commercial or marketing value, they can pay us for it.

In the wake of this fiasco, trust needs to be rebuilt between Sony and the customer – but from a personal perspective, that trust has now been lost. All personal information will be stripped from my PSN and XBL accounts (technically putting me in breach of their terms of service), and I'll be using pre-paid cards only.

Read this next