Senator Richard Blumenthal (D-CT) yesterday penned a letter asking SCEA President Jack Tretton some hard questions regarding just why it took nearly a week for the company to inform over 75 million customers that personal data such as billing address, email passwords and possibly credit card information might have landed in the hands of an unauthorized, malicious third party.
"I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections," said Blumenthal in the note. "When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised."
The senator, who currently serves as a member of both the Senate Subcommittee on Antitrust, Competition Policy and Consumer Rights and the Subcommittee on Privacy, Technology and the Law, is doubly interested in the ongoing investigation: it's his job.
"Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised," he wrote. "Nor has Sony specified how it intends to protect these consumers."
Blumenthal offered one specific suggestion to Tretton on how to address the situation moving forward: "PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony."
Patrick Seybold, the Senior Director for Corporate Communications and Social Media, countered the general criticism against Sony for its alleged lackadaisical reaction to the data breach on the Official U.S. PlayStation blog:
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.
According to CNET, the PSN/Qriocity debacle is comparable to other massive data breaches, such as the hacking of Heartland Payment Systems in 2009 which leaked 130,000,000 records and an unknown amount of credit card info. The Chief Technology Officer of Application Security Inc. Josh Shaul echoed that sentiment, telling Forbes the PSN intrusion is "one of the worst breaches we've seen in several years."
So, how much could this blunder cost when all is said and done?
One estimate making the rounds is $24 billion -- based on an average of just over $300 for each of the supposed 77 million registered PSN IDs.
No matter the amount, this issue will undoubtedly persevere well beyond the service's re-launch - which has yet to be announced.
Did you spend the last day or so changing email passwords, canceling credit cards or writing strongly worded letters to Sony? Let us know in the comment section.
