May 6, 2011 -- By now almost everyone I know (and millions of people I haven't had the pleasure of meeting yet) has read or heard about Sony's announcement last week that its PlayStation network was hacked and that the Personal identifying Information (PII) of potentially 77 million individuals worldwide has been compromised. Then, earlier this week, Sony notified us that there'd been a second breach. This one involved the accounts of 25 million members of Sony Online Entertainment, which hosts the popular online game EverQuest, among other diversions. That means that the PII of more than 100 million Sony customers is now twisting in the wind. And now, a law firm in Canada has filed a class action lawsuit against Sony for more than $1 billion in damages on behalf of nearly one million Canadians.
It is a reasonable assumption that many minors inhabited both of these Sony networks. The stolen PII included names, dates of birth, email addresses, physical addresses, user IDs and passwords and at least some credit card information. Further, children or their parents might unwittingly give up additional information (or expose their computer to malware that would turn their home network into a broadcast vehicle for their financial account numbers and passwords) to a "phisher" pretending to be a legitimate Sony representative following up on the breach. Were they to give up their Social Security number, for example, someone could do quite a bit of damage, especially given children have no reason to check credit information for many years to come. Perhaps the fact that the breach was so large, and involved kids, explains why in a week that saw mile-wide deadly and horrific tornados, a US president publicly releasing his birth certificate, and precious metals prices reaching all-time highs, the PlayStation breach made the front page of the Wall Street Journal.
[Related article: As Breach Worsens, Sony Leaders Say They Knew of Security Problems]
Here's why: While, the compromise of children's identities isn't new, it certainly is a big story when it happens. It has been estimated that more than 400,000 such incidents occur each year and that number has been growing for some very good reasons. First and foremost, however vigilant most adults may be about their own identities, rarely do parents think about monitoring their children's status. A thief thereby gains something very important—precious time before any discovery of the felony occurs. Secondly, a child is very likely to have a dormant Social Security number, which presents a clear field for account creation and manipulation. Again, should the perpetrator of a phishing attack succeed in obtaining a SSN, the damage he could do setting up new, fraudulent credit accounts could go undetected for years.
Frankly, I'm not surprised that Sony was hacked. Major data breaches, many of which have been the subject of several of these columns, are occurring about once a week these days. Surely one cannot reasonably believe that Sony—or for that matter its competitors, Microsoft and Nintendo—could be immune.
To say that Sony's response to this breach has been understated is itself a huge understatement. In a press release that the company sent out this past weekend, almost two weeks after the breach happened, they outlined the steps they were taking to deal with their "oops" moment (I am being gentle here), and then tried to make amends in a manner befitting a clueless corporate monolith (ok, forget gentility). They'd like to welcome their users back to the network with the following:
"All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service."
They are also offering some unspecified, free downloads, in addition to some yet-to-be named freebies. Be still my heart! Thirty days of access to Playstation Plus and all you had to do was open the doors of your home, your office and your life to identity thieves. What a great deal! And, in case their customers are actually concerned about the integrity of their identities, Sony was kind enough to provide a few self-help tips on protecting yourself and a short list of government and credit reporting agencies to whom you can turn in the event of a personal compromise.
Hacking the SystemI have always believed that all of the gaming networks, and other kids' sites that have an e-commerce component, are the most vulnerable repositories of any large caches of PII, for a few very simple reasons. It is undeniable that although the universe of avid gamers and the galaxy of talented hackers aren't congruent, there is a rather substantial overlap. Many of our children are light years beyond our technological prowess. Smart kids have been responsible for some of the most famous hacks of history, involving compromises of both government and industry computer networks, many of which were "innocent" pranks—done for thrills rather than financial gain or more nefarious purposes. Remember when, a decade ago, the recording industry announced the development of the "copy-proof" music CD? The idea was to prevent the uploading of music on a physical disk to one of the file-sharing sites like Napster or Kazaa where the music could be freely traded (and traded for free). A good friend of mine who had a large company that distributed physical CDs informed me that within a few days the elaborate and very expensive protection system was defeated by kids around the country using only a felt tip pen!
More importantly, youthful online gamers often exist in a culture that seems to make hacking more socially acceptable, perhaps even socially esteemed. There is a "cheat site" for virtually every popular game—just Google the name of the game followed by the word "cheat" and you'll see what I mean. Sure, this kind of cheating is victimless and really doesn't constitute any type of crime, but it's worth considering why little Johnny, who gets straight A's in school and would never cheat on his math test, probably has no problem using the cheat sites or even contributing to them.
The worst unintended consequence of this culture seems to be the false sense of anonymity and invincibility kids tend to feel when they're online. They don't cheat in school because there'd be consequences if they got caught. But I sense that many kids feel that cyber-hacks, regardless of their severity, occur in an online vacuum and are free of real-world consequences. To take it one step further—because of this assumption, young people tend to be more cavalier about the sensitive information they share publicly.
If you think about it, the Sony breach merely underscores something obvious. The gaming networks and similar sites are delicious targets for the "because I can" crowd. Although the hackers themselves may not be trying to open a phony bank account with your child's newly acquired PII, there are others, most likely older and much more venal, who would love to get their paws on that data for just such a purpose. Beyond this, there is another type of currency available uniquely on the gaming networks—access to the accounts and special permissions related to a gamer's skill, highest play level and acquired "spoils of war"—all of which have value on the Internet black market. That's right, the youngest hackers are probably stealing identities because they are looking to make General in Halo Reach without having to do all the work themselves to rise through the ranks. (For those of you who are older than 15, Halo Reach is a video game in which players earn military-style ranks for successfully completing missions and shooting stuff.)
Regardless of the motivation, it is harmful on several levels that this information is now airborne. And as all readers of this column must know by now, once the data is airborne—it's out there!
Sad reality check—we need to be as careful with our kids' PII as we are with our own. Limit the amount of data your child makes available to anyone online. In fact, an effective countermeasure may be to fudge the data a bit. Does the gaming network really need to know any child's street address (frankly, do they really need to know yours)? From the moment your child is born and assigned a Social Security number, you'd best monitor it, perhaps not every minute but certainly at least once or twice a year. And you should be sure to instruct them to pass it along to no one (employers aside). Bottom line—don't allow your child's zeal for vanquishing extra-terrestrial invaders, terrorists or street thugs alienate them from the benefits of a sound financial beginning as they come of age.
Adam Levin is chairman and cofounder of Credit.com. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.