Sony PSN Breach: What Should You Do Now?

Sony's weeklong outage of the PlayStation Network went from bad to ballistic overnight, with the company confirming that the breach that caused it to shutter its online service for the PlayStation 3 and PSP may have also resulted in personal information being accessed by "an unauthorized person." Sony has confirmed that in addition to details such as name, address, country, e-mail address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID, credit card details may have been compromised, possibly affecting the 75 million registered PSN users globally.

Unauthorised access to your credit card and, even worse, identity theft are a distinct possibility as part of this massive breach. But should you be worried? What's the worst that could happen to you and your finances? And what steps should you immediately take to protect yourself? GameSpot AU spoke to several security analysts to gauge their views, and the message is clear: to paraphrase an Australian government catchphrase, PSN users need to be alert but not alarmed.

GameSpot AU: So how scared should PSN users be about this breach?

James Turner (IBRS security industry analyst): People shouldn't be scared at all--but they should take two pieces of action: cancel your credit card and change your passwords, particularly if your PSN password is the same for other services.

Nick Ellsmore (Stratsec head of delivery): That's a tough question. The whole area of identity theft is quite challenging to work with. If all people needed to steal your identity was your name, date of birth, address, and PSN password, then I think we have much bigger problems as a whole compared to just this particular breach of data. The reality is the electoral roll is publicly available. You can go on Facebook and find out a lot of information about someone. The real issue here is this type of data has been breached in a very public way.

Chris Gatford (Hacklabs director): I wouldn't lose sleep, and I wouldn't rush out and cancel credit cards. I would be more disappointed with Sony. This occurs on almost a daily basis worldwide (large organisations being compromised), but most consumers will be protected by their banks against fraudulent transactions.

What's harder to quantify is the loss of personal information. Say you used your mother's maiden name as a security question, or used another question you use for other websites. This information can be used by attackers to access other services you use.

GS AU: So what's the worst that could happen to an individual?

JT: That depends on who you are. Credit card details being lost could lead to fraudulent transactions. In Australia, our banking code says that banks will cover the cost for fraudulent charges on a credit card, so the big issue there is the time it takes for the bank to do the investigation and refund the transaction.

NE: It's hard to say, because of the different levels of personal details people have on the network. If you get hit with a phishing attack and people access your accounts, then the banks will reimburse. Same with credit cards. It's more the inconvenience and any issues the timing causes.

CG: Clever attackers will take 12 or 18 months before they access your card, and often stagger purchases so it's harder to track down to an individual source. People could also use that information to, for example, try to take out loans in your name or get an extra credit card. It can be reversed, but it's a time-consuming process to go to a bank and reverse it.

GS AU: How likely is it that something will occur to a PSN user because of this?

JT: That's hard to say--it depends on who perpetrated the attack and what their motivation was for it.

NE: You would have to say very unlikely. Australia has a very well-regulated and controlled banking system and finance system, and we do not have high rates of fraud.

CG: I don't know how likely identity theft is to occur--if anything, it will be more likely petty theft.

GS AU: So what's the minimum concerned PSN users should do right now to protect themselves?

JT: Change their credit cards and their passwords, particularly if they use the same password across other accounts.

NE: Be alert of anything untoward happening on your accounts. And if the password on the PSN is the same as you use elsewhere, then just go ahead and change it. Should you cancel your credit card? Not really, but if you have any concerns, talk to your bank and have that discussion. Personally, if something happened to me, I would call the bank, get the fraud reversed, and then cancel the card from there.

CG: At the absolute worst, if you want to avoid the annoyance of having to handle credit card fraud, then change the number on your card. If you use the same username and password value on other services, then obviously change that, as well.