Just weeks after more than 100 million accounts were breached in two massive attacks, a group of hackers has attacked Sony for the third time because they are upset with the company’s handling of the breach on Sony’s Online Entertainment and PlayStation networks.
The third data breach — not as serious as the first two breaches — included the names and partial addresses of 2,500 customers who entered a product sweepstakes in 2001.
Sony’s investigation is ongoing, and the company says it is upgrading its security so that if attacks like this happen again, its defenses will be even stronger. The company also plans to hire its first-ever Chief Information Security Officer — but is that too little, too late for its customers’ online security and privacy?
Sony also just announced it has partnered with a company called Debix, Inc. to offer customers a twelve month identity-theft protection program to insure users against identity theft for up to $1 million each.
But what if this leads to more spearphishing, not less?
How? As much as Sony has warned that it will never contact customers via phone calls or emails, the company it has hired to protect its customers does contact customers by phone and email.
Sony will start sending out activation emails for this program over the next few days, and users will have until June 18 to register and redeem their code.
Users will not register on Sony’s websites, but rather, through a Debix service called AllClearID.
If AllClear ID suspects a customer is being victimized online, the company alerts the user by phone and/or email and offers advice, support, and monthly identity-status reports. If a customer receives an alert, or otherwise suspects that he/she may be the victim of identity theft, the customer can speak with an on-staff licensed private investigator.
In the case of identity theft, the customer can work with an identity-restoration specialist to contact creditors and others, and take necessary steps to restore their identity.
Sounds promising, right?
So where does that $1 million dollar insurance policy come into play? Well, if after all that monitoring a customer still becomes an identity-theft victim, the insurance would provide financial relief of up to $1 million for covered identity restoration costs, legal defense expenses, and lost wages that occur within 12 months after the stolen identity event.
Making Up For Lost Time?
Sony’s peace offering, currently offered to only U.S.-based PlayStation customers, also includes a month of free PlayStation Plus membership and an extension of subscriptions for PlayStation Plus and Music Unlimited customers.
In an official statement, Sony’s president and chief executive officer Howard Stringer apologized for the inconvenience caused by the attack and said the company has teams “working around the clock and around the world to restore your access to those services as quickly, and as safely, as possible.”
Stringer went on to say, in hindsight, the company should have notified customers sooner.
“As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken,” he said.
Do’s and Don’ts to Prevent Spearphishing
If you’re a PlayStation user, have you noticed any instances of fraud in the past few weeks? Have you changed your password or login information? Are you concerned about protecting yourself now and in the future while using services like PlayStation?
Here are some basic “dos and don’ts” when it comes to online security and guarding against spearphishing attacks:
- Do cancel the credit card associated with your PlayStation account.
- Do monitor your credit card statements more closely.
- Do change your password and/or or cancel the account; try not to use the same password for all your online accounts like Amazon, Facebook, Flickr, and gmail.
- Do keep a close record of any suspicious activity and a timeline of any fraud you think has been committed against you.
- Do not click on any link in an email that is asking you to update your account or install an update.
- Do not use a debit card online because it’s more difficult to dispute the fraudulent claim with your bank.
Finally, is it a “do” or “don’t” when it comes to participating in Sony’s identity-theft prevention program? Remember that Sony has promoted “12 free months from the time an account holder registers for the program” – but keep in mind that Debix already offers a 30-day free trial to begin with, assuming you enter your credit-card details during that “free trial.”
Is it worth it to you to take part in what is essentially an eleven month monitoring program that will then cost you $10 per month after the trial period ends?
(Brace yourself for tiny legal font, but it’s here in its Terms and Conditions that “if you do not cancel before the end of such free trial period, you agree that Debix is authorized to charge you a monthly subscription fee at the current rate to the payment method you provided during registration.”)
That’s neither a “do” nor a “don’t” but simply up to each individual user to decide for themselves.