recommended reading

DHS probing Sony PlayStation network attack

The Homeland Security Department, charged with protecting the nation's critical infrastructure, is helping to mitigate the damage from a breach of customer account data on Sony's online video game and entertainment networks that could have affected 77 million users, DHS officials said.

Over a three-day period last week, intruders hacked into user profiles on the PlayStation Network gaming console and the company's music and video service Qriocity, Sony officials disclosed on Tuesday.

"The Department of Homeland Security is aware of the recent cyber intrusion to Sony's PlayStation Network and Qriocity music service," DHS spokesman Chris Ortman said. "DHS' U. S. Computer Emergency Readiness Team is working with law enforcement, international partners and Sony to assess the situation."

While gaming and music networks may not be considered "critical infrastructure," the data that perpetrators accessed could be used to infiltrate other systems that are critical to people's financial security, according to some computer experts. Stolen passwords or profile information, especially codes that customers have used to register on other websites, can provide hackers with the tools needed to crack into corporate servers or open bank accounts.

The PlayStation site states that the perpetrator obtained the names, addresses and birth dates of registered users, as well as their email addresses, network usernames and login passwords. User profile information, such as answers to password security questions and purchase histories, also may have been taken. The company has no evidence that credit card data was stolen but officials said they cannot rule out the possibility.

US-CERT offers victimized companies guidance on service restoration and risk management, as well as recommendations for improving overall network and control systems security. The team also shares information gleaned from investigations with private sector and government cybersecurity specialists to prevent similar strikes elsewhere.

Patrick Burke, senior vice president in the national security sector at SRA International, said Homeland Security's role in a situation such as Sony's is to help companies exchange information about the nature of their losses with customers, the commercial sector and the government as soon as a breach is discovered. "There can't be a fear of retribution," he said.

The public was outraged this week after learning Sony waited until April 26 to tell customers it had detected an intrusion on April 19. The consumer electronics company took down the compromised services around the 20th, reporting on its blog, "We're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information."

"We're all in this together," Burke said. "We all need to understand that. There's an adversary that we're trying to defeat. If we're not going to share information when we're attacked . . . that's gotta get fixed."

As far as the scale of Sony's customer account break-in, the PlayStation hack is outranked by two recent invasions. An intrusion at TJX Companies Inc. that was reported in 2007 exposed data from more than 94 million credit and debit cards belonging to consumers who had shopped at TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores. In 2009, an incursion at Heartland Payment Systems Inc., which processes debit and credit card transactions, compromised about 130 million cards.

The Sony incident "is scary but it's not world-ending scary," said Jerry Brito, director of the technology policy program at George Mason University's Mercatus Center. "We have much more to fear from nuclear weapons and real war."

He does not see a role for DHS to play in damage control.

"Now that this has happened I think it's time for law enforcement to do their jobs and catch the bad guys," Brito said.

FBI officials are involved in the case. "The FBI is aware of the reports concerning the alleged intrusion into the Sony on line game server and we have been in contact with Sony concerning this matter," FBI Special Agent Darrell Foxworth said in a statement. "We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity."

The FBI is asking the public to provide information by calling (858) 565-1255 or online through the Internet Crime Complaint Center.

Brito does not expect players to experience extensive financial losses as a result of the PlayStation breach because scammers already had access to this kind of credit card information and personal data on the black market. Sony, however, likely will face lawsuits and may lose customers, he noted.

"Corporate America has not been paying attention to this," Brito said. "All of these private enterprises now have an incentive to make sure this doesn't happen to them. I don't see what the government is going to do extra."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.