Friday, 21 March 2014

Data protection authorities cooperation - the case of the sony PlayStation network hacks

I've just been finishing up a report for the PHAEDRA project (http://www.phaedra-project.eu/)  which looks at international cooperation between data protection authorities. The report is based upon a series of case studies, which looked at various investigations by DPAs and how they cooperated and coordinated with each other (or how they didn't...) as well as a review of the different international organisations, workshops, conferences and associations that allow DPAs to communicate and coordinate with their peers. We also conducted a survey and interviews with a large number of DPAs. 

Here's a sample from the forthcoming report. It's one of the case studies. There are 11 of these in the full report.

Sony PlayStation Network hacks

Overview

What media reports often described as the Sony PlayStation Hack was actually a series of hacks and problems with a set of related systems over several days. The main focus of attention for data protection authorities was the potential theft of personal information of more than 70 million users of the Sony PlayStation Network. The internal investigation of this hack resulted in the PlayStation network platform being unavailable for several days. PlayStation Network (PSN) is the network that provides the online component of the popular PlayStation games console: it allows users to purchase and download games and additional content, to communicate with friends and to host online multiplayer games.

Other related hacks were discovered during the investigation into the PlayStation Network hack. First, the website of Sony Online Entertainment (SOE) was compromised, with hackers potentially gaining access to personal information of 24.6 million customers.[1] The SOE network was taken offline on 2 May 2011. Second, personal information on a Sony website was indexed by Google, leading to 2,500 names and partial addresses from a 2001 Sony sweepstake competition being discovered on a public-facing website on 7 May 2011.[2] Third, the Sony Pictures Entertainment website was hacked between 27 May and 2 June 2011, with the hacking group LulzSec claiming responsibility,[3] and for which several purported members of LulzSec were subsequently charged.[4] This hack resulted in the theft of confidential data relating to 100,000 users of the Sony Pictures website. Several other hacks followed through May and June 2011.[5]

There were several investigations into the PlayStation Network data breaches, which for the most part occurred independently of each other. Many data protection authorities rapidly stated that they would look into the breaches to ascertain the applicability of their data protection law to the case and any jurisdiction that their offices might have. The UK Information Commissioner’s Office (ICO) conducted an investigation into the PlayStation Network data breach and issued Sony with a monetary penalty of £250,000. There were also a large number of separate investigations into this data loss by various actors in the United States, including the Federal Trade Commission, the House of Representatives, numerous Attorneys General, and the FBI.

Sequence of key events


17-19 April 2011
Sony learns that the PlayStation Network and Qriocity network had been hacked and begins an internal investigation.
20 April 2011
Sony PlayStation Network and Qriocity services are suspended.
22 April 2011
Sony confirms that the PlayStation Network suspension is due to external intrusion.
25 April 2011
Sony’s forensic teams confirm the scope of the personal data they believe taken, but cannot rule out credit card information.
26 April 2011
Sony informs its users and the authorities about the hack on the PlayStation Network, and that personal information on customers may have been stolen[6] Sony initially blames Anonymous, who deny responsibility.[7]
April 2011
The Office of the Australian Information Commissioner (OAIC) conducts an investigation into Sony Computer Entertainment Australia’s role in the PSN data loss.
2 May 2011
Sony confirms that 12,000 credit card numbers and 24.7 million customers’ account information may have been stolen. The credit card numbers are apparently encrypted and do not include expiry dates.
2nd June 2011
Sony restores all PlayStation Network Services in all areas other than Japan.
29th September 2011
The OAIC publishes results of investigation of Sony Computer Entertainment Australia.[8]
25th July 2012
The ICO serves a Notice of Intent on Sony.
12th October 2012
The ICO receives written representation from Sony.
19th October 2012
US Federal judge rules that plaintiffs could not claim that Sony violated US customer protection statutes because the PSN services were provided free of charge.
14th January 2013
The ICO issues a penalty of £250,000 against Sony Computer Entertainment Europe (SCEE) Limited.[9]

1.1.3        Reasons for investigation


Several data protection authorities undertook investigations to determine the applicability of local law to the hacks after they became public knowledge. The Office of the Australian Information Commissioner (OAIC) conducted its “own motion” investigation into the PlayStation Network hack in April 2011. This investigation was conducted because Australian citizens had been affected by the network hack. The OAIC investigation was limited to the activities and role of Sony Computer Entertainment Australia, a subsidiary of SCEE. Similarly, the Office of the Privacy Commissioner for Personal Data in Hong Kong also conducted enquiries into Sony Computer Entertainment Hong Kong. The Office of the Privacy Commissioner of Canada announced its intention to look into the PSN data loss in late April 2011, with particular attention to its effects on Canadians, and would determine its next move once it had a better understanding of events.[10] The Office does not appear to have subsequently issued a report of findings on any such investigations. Other data protection authorities, such as the New Zealand Privacy Commissioner, maintained contact with their international equivalents without conducting their own investigation.[11]

The PlayStation Network platform is operated by Sony Network Entertainment Europe Limited (SNEE), which is a wholly owned subsidiary of Sony Computer Entertainment Europe. SNEE is responsible for the network in Europe, the Middle East, Africa, Australia and New Zealand. The network platform, including the database of customer information, was maintained on behalf of SNEE by a US service provider, which is another part of the Sony group. SNEE is based in London and therefore comes under the purview of the ICO. The ICO described the loss of customer information by Sony as “the most serious breach reported to us”.[12] The breach was self-reported to the ICO by SNEE, and the ICO subsequently undertook an investigation.

There were several overlapping investigations into the hack in the United States. Sony Computer Entertainment America (SCEA) is the US/North American equivalent to SNEE and both are part of the Sony Group, which in turn is headquartered in Japan. Sony Online Entertainment publishes online multiplayer games. The US headquarters of Sony Online Entertainment is in New York.[13] The Federal Bureau of Investigation confirmed that it was investigating the hacks as a cybercrime, with the focus of its investigation being the hackers responsible, and not the involvement or conduct of Sony in regard to the breach of personal data. The  FBI subsequently arrested and charged several people allegedly involved in the perpetrating the hacks. The House of Representatives subcommittee on Commerce, Manufacturing and Trade conducted a hearing on the threat of data theft to American consumers, which produced a letter to the chairman of SCEA, asking several questions about the timing and extent of the breach, when Sony became aware of the incident, when it notified customers and the authorities, and the details of any data security and retention practices.[14] Sony’s response to this letter provided details about its internal investigation, and cited the complexity of the investigation as the key reason for the delay in informing customers and the authorities.[15] Twenty-two US state attorneys also demanded answers to questions from SCEA.[16] The Federal Trade Commission may also have had jurisdiction due to potential impacts on US consumers, but does not appear to have produced a report of any investigation.

Findings of investigation


The Office of the Australian Information Commissioner (OAIC) investigation concluded that as SCE Australia did not hold any personal information relating to the PlayStation Network platform, it had therefore not breached Australia’s Privacy Act 1988. The OAIC report made a distinction between information disclosed to the public and information accessed as a result of “a sophisticated security cyber attack against the network platform”, and stated that a targeted attack on an organisation did not necessarily signify that the organisation had failed to take “reasonable steps” to secure personal data.[17] The Commissioner was, however, concerned about the delay between SCE Europe becoming aware of the incident and notifying both customers and the OAIC. The Privacy Commissioner for Personal Data, Hong Kong, stated on 26 July 2012 that his office would not pursue any further investigation, on the assumption that the cause of the intrusion had been identified, and that preventative measures had been taken.[18]

The UK Information Commissioner’s Office disagreed with the Australian conclusion, stating that the PlayStation Network hack that resulted in the loss of customers’ personal data could have been avoided. That the database had been targeted in a deliberate criminal attack did not mitigate the finding that the security in place was not sufficient to protect the personal data being held. As a data controller under the Data Protection Act 1998, SCEE had failed to ensure that the service provider maintained adequate security standards. The ICO considered the contravention of Section 4(4) of the Data Protection Act 1998 to be serious, because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from unauthorised or unlawful access and processing of the stored information. The monetary penalty of £250,000 was therefore reasonable and proportionate, but would not impose undue financial hardship upon the data controller. The ICO could potentially have issued a fine of up to £500,000.[19] Aggravating factors included serious contravention due to the nature and volume of data; placing other accounts at risk; that the data controller should have been aware of the risk; that the data controller should have acted sooner; and that the data controller is part of a multinational group with resources and expertise. Mitigating factors included the focused and determined criminal attack; the complexity of the PSN system; the fact that some steps were taken to secure the network; that there had not been a previous similar breach; that the personal data lost is unlikely to be misused and that no misuse has yet been reported; that data subjects were informed and reparations offered; that the data controller fully co-operated with the commissioner; that substantial remedial action has been taken; and that the breach has had a significant effect on the data controller’s reputation.

The lawsuits filed against Sony (SCEA) alleging that Sony knew that its security was insufficient prior to the attack were dismissed by a judge in Southern California on the grounds that the named plaintiffs were not subscribers to the premium features of PSN, and therefore Sony had not breached California’s consumer protection laws. Judge Anthony Battaglia also stated that Sony could not be held fully responsible for the loss as there was no such thing as perfect security.[20]

Forms of co-operation


In general, there is little evidence of any significant or structured co-operation between data protection authorities in the investigation of the Sony PlayStation Network data breach or other associated hacks against Sony. Rather, investigations were primarily conducted by national data protection authorities where they believed it appropriate. Where it occurred, co-operation between data protection authorities was limited to ad hoc communication between the authorities and the sharing of any findings at the conclusion of individual investigations.

The OAIC investigation into SCE Australia was one of the earliest investigations. The OAIC states that it advised other privacy regulators about its findings, particularly the Asia Pacific Economic Cooperation (APEC) member countries.  Many data protection authorities who issued press releases regarding the Sony PlayStation breach also noted that they would maintain communication with peers in other countries during their investigations. Details of this communication or co-operation are generally limited. The Australian Commissioner also stated that he did not intend to re-open this investigation following the ICO’s decision regarding SCE Europe.[21] The OAIC did, however, note the complexity of the Sony case, and cited this as a driver towards increased international co-operation.

There is evidence of collaboration between the FBI and the Department of Justice in the investigation of the criminal side of the hacks.[22] This presumably builds on regular co-operation between the FBI and its overseeing Department. It appears that the 22 different state Attorneys General each wrote their own investigative letters to Sony, rather than sharing a single inquiry.

Several parts of the Monetary Penalty Notice issued by the ICO have been redacted.[23] It is uncertain if the redacted or un-redacted version of this Notice was shared with other data protection authorities. The Notice does not give details of any collaboration between the ICO and other data protection authorities.

Notably, the respective Sony subsidiaries seem to have co-operated with the law enforcement and data protection authorities in each instance, and alongside the voluntary reporting of the breach to the UK commissioner, this co-operation was taken into account by the ICO as a mitigating factor in determining the appropriate monetary penalty.

Conclusions


From this case study, we draw the following conclusions:
  • The corporate structure of Sony’s various divisions and way that it operated services made issues of jurisdiction and responsibility potentially problematic.
  • Most data protection authorities that investigated the PlayStation Network hacks examined the activities of the local subsidiary of the Sony Group within their jurisdiction (for example, SCE Australia and SCE Hong Kong). Several data protection authorities therefore concluded that because those subsidiaries were not directly involved in processing data in relation to the hacked network, there was no further need for investigation.
  • The PlayStation breach appears to have been influential in increasing the perceived need for global co-operation between Data Protection Authorities, due to the inter-related nature of the Sony group, the complex flows of personal information involved, and the possibility of a single event affecting a large number of citizens.


[1] Sony Online Entertainment, “Dear Valued Sony Online Entertainment Customer”, Sony Online Entertainment, 2 May 2011., https://www.soe.com/securityupdate/
[2] Wisniewski, Chester, “Sony succumbs to another hack leaking 2,500 ‘old records’”,  Naked Security, 7 May 2011. http://nakedsecurity.sophos.com/2011/05/07/sony-succumbs-to-another-hack-leaking-2500-old-records/
[3] FBI, “Member of hacking group LulzSec arrested for June 2011 intrusion of Sony Pictures computer systems”, press release, Los Angeles, 22 September 2011. http://www.fbi.gov/losangeles/press-releases/2011/member-of-hacking-group-lulzsec-arrested-for-june-2011-intrusion-of-sony-pictures-computer-systems
[4] FBI, “Six hackers in the United States and abroad charged for crimes affecting over one million victims”, press release, New York, 6 March 2012. http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims
[5] Security Curmudgeon, “Absolute Sownage: a concise history of recent Sony hacks”, Attrition.org, 4 June 2011. http://attrition.org/security/rant/sony_aka_sownage.html
[6] Information stolen likely included: name, address (city, state, zip), country, e-mail address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers may have been obtained. Seybold, Patrick, “Update on PlayStation Network and Qriocity”, PlayStation.Blog , 26 April 2011. http://blog.us.PlayStation.com/2011/04/26/update-on-PlayStation-network-and-qriocity/
[7] Arthur, Charles, “Anoymous says Sony accusations over  PlayStation Network hack are lies”, The Guardian, 5 May 2011. http://www.guardian.co.uk/technology/blog/2011/may/05/anonymous-accuses-sony-hack-PlayStation-network
[8] Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion Investigative Report, 29 September 2011.
[9] Information Commissioner’s Office, “Sony fined £250,000 after millions of UK gamers details compromised”, Press release, 24 January 2013. http://www.ico.org.uk/news/latest_news/2013/ico-news-release-2013
[10] Hartley, Matt, “Breach rattles watchdogs”, Financial Post, 27 April 2011.
[11] Privacy Commissioner, “Media Release: PlayStation data breach”, Press release, 28 April 2011.
[12] BBC “Sony fined over ‘preventable’ PlayStation data hack” BBC News, 24 January 2013.
[14] House of Representatives, “The Threat of Data Theft to American Consumers: Hearing before the Subcommittee on Commerce, Manufacturing and Trade, of the Committee on Energy and Commerce, House of Representatives”, US Government Printing Office, Washington, DC, 4 May 2011.
[15] Hirai, Kazuo, “Letter to the Honorable Mary Bono Mack and Honorable G.K. Butterfield”, 3 May 2011.
[16] As an example, see Jepsen, George, “Re: Sony PlayStation Breach” letter, Hartford, Connecticut, 27 April 2011. http://www.ct.gov/ag/lib/ag/press_releases/2011/sonytrettonltr042711.pdf
[17] Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion Investigative Report, 29 September 2011.
[18] Office of the Privacy Commissioner for Personal Data, Hong Kong, “Privacy Commissioner completes enquiries with Sony on Resumption of PlayStation Network Service in Hong Kong”, press release, 26 July 2012. http://www.pcpd.org.hk/english/infocentre/press_20120726c.html
[19] Information Commissioner’s Office, Data Protection Act 1998 Monetary Penalty Notice: Sony Computer Entertainment Europe,   14 January 2013.
[20] Kerr, Dana, “Sony PSN Hacking lawsuit dismissed by judge”, CNET, 23 October 2012.
[21] Office of the Australian Information Commissioner, “Sony PlayStation Network: Statement from the Australian Privacy Commissioner, Timothy Pilgrim”, press release, 25 January 2013.
[22] Li, Shan, “Justice Department probes hacker attack at Sony’s PlayStation Network”, Los Angeles Times, 5 May 2011. http://articles.latimes.com/2011/may/05/business/la-fi-sony-probe-20110505

No comments:

Post a comment