CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

Sony Data Breach Clean Up Continues

Posted in Cyber Breach, Retail

Things for Sony are definitely heating up.  Yesterday the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing on “The Threat of Data Theft to American Consumers.” Sony didn’t send a representative, but Kazuo Hirai, Chairman of the Board of Directors, sent a letter responding to questions from the committee.  (A summary of the answers is available on the Sony PlayStation Blog, and the full letter is available here.)

While a lot of the information from previous posts (April 26th, and May 2nd) is repeated, Sony is dealing with the cyber attack by following four key principles:

  1. Act with care and caution.
  2. Provide relevant information to the public when it has been verified.
  3. Take responsibility for our obligations to our customers.
  4. Work with law enforcement authorities.

Sony says that it has been working with the FBI and three forensic experts to determine the scope of the breach.  The Department of Defense is also conducting an investigation.  Investigators discovered a file on one of the serves named “Anonymous” with the words “We are Legion.” Just weeks ago, Sony was the target of a denial-of-service attack by the group Anonymous in response to Sony’s lawsuit against alleged PlayStation 3 hacker George Hotz.  But Anonymous is claiming no involvement in the current hack.  Even so, Sony believes the denial-of-service attack may have provided cover for the larger breach.

Earlier today the Sony PlayStation Blog posted a letter from Howard Stringer that customers will be able to obtain a $1 million identity theft insurance policy through Debix, Inc.  Although all the details may still be developing, it is almost certain one of the most expensive breaches in recent years.  With Ponemon’s average cost of a data breach at $214 per compromised record, Sony might end up having to pay $214 million.  With the variety of rules from state to state and country to country regarding data loss this total might end up being much higher.  Suits have already been filed in the U.S. and Canada.