*sigh*

 ... a large company which keeps personal data, can't keep the information away from others with malicious intent. Why am I not surprised.

Good luck in getting any recourse if you are victimized.

*sigh*

Sony could never code for shit.

I don't understand why credit card info is stored on their site. Stardock doesn't do that.

I don't think even Ashampoo does that.   And if what the official statements of them and Sony are all true, Ashampoo only lost some names and email addresses.  Sony essentially lost control of all their user data for a big part of their user base (including credit card details, booh).

Best regards,
Steven.

Heard this on the Teev news tonight....it 'only' affects 70 million customers.....

I read it had something to do with an update that allowed people to used user made software. A jailbreak type of update I guess, the problem was this apparently allowed people to purchase and download DLC with someone else's credit cards since apparently Sony did not have a credit card verification system thru this network. It basically created a pirated software heaven within the network and this is why they shut it down. But now it's about a penetration. Information taken by someone who was able to crack their system. I don't know about you, but I', starting to think that not giving all my info every time I sign up somewhere is an even smarter idea than I had thought and using a prepaid card to purchase things may be the smartest thing ever. A couple of bucks a month for these cards is worth the hassle I can save myself from.

Suddenly my paranoia of only using prepaid cards to buy PSN stuff doesn't seem so crazy.  I'll just have to change my password.  Others may not get off quite so easily.

It's funny because our company is having to jump through hoop after hoop to become PCI compliant, meanwhile Sony apparently has all their customer and credit card information just sitting there in a file or something.

The requirements to store Credit card info are very strenuous.  Not only do you have to have regular firewalls, but firewalls around the host storing the data alone.  We offloaded it to a 3rd party because of those requirements.  I agree with you - why would anyone store it on site especially when you interface with John Q. Public?  Even if never hacked, the audit requirements and just the PCI requirements make it a major headache for any organization.

This has gotta suck for the devs who have games on PSN also, as people will be less likely to buy on there now.

The guys I feel most sorry for is Aksys with Arcana 3 heart.  Sony pushes them back to the same day as Mortal Kombat, then this happens to them.  Really shitty timing.

http://news.yahoo.com/s/nm/20110428/ts_nm/us_sony

You got to check this out. Global bad news for SONY.

info in a files are not the problem... but it seem that nothing was encrypted :

"...My understanding from what they said is that stuff was compromised and was not encrypted..."

A shame when you have a bunch of harddrive and brand who are OPAL compatible, offering a strong 256 bit AES ( Advanced Encryption Standart )... 

With OPAL drive, same if the content leak to the outside, a brute force attack with actual computer will take more time that the age of the univers itself for break the key and read the info...

Again, it is greed who have lead a business like Sony to these problem since OPAL drive are somehow a little more expensive that usual one... hope that they will pay a lot for the damage done to their customer...

*****

"Hospital lost patient data" (...unencrypted), "ministry of defense laptop stolen" (...unencrypted), "hard disk with confidential defense information on Ebay" (...unencrypted), reports like these have haunted us for the last couple of years with an ever increasing frequency and publicity.

Mobile data processing has become commonplace whereas adequate protection of the respective data hasn't yet.

You may not realise it, but it doesn't really require rocket science to protect these data appropriately. Full Disk Encryption (FDE), for instance, guarantees that any data on a PC's hard disk is encrypted, without the user having to care about which files need to be protected and which not.

With TrueCrypt, the open source community provides a free product targeted for private use, and with SafeGuard Device Encryption, Sophos offers a software solution for the corporate market, addressing the additional needs of business users, such as central management and password recovery in case of a forgotten password.

Some time ago, hard disk vendors stepped into the market with self-encrypting hard disks to fill the same gap.

These drives offer encryption performed in the hard disks themselves rather than in some software layer above. And indeed, the advantages of such a hardware-based solution are compelling: Encryption right at the source of data, no performance penalty, data encryption independent of the operating system on top, and no sensitive keys exposed in RAM, just to name a few.

Back in 2007, Seagate pioneered this technology with its Momentus drive series, and Hitachi followed soon. All their solutions, however, were proprietary, and required remarkable efforts in software development when it came to a powerful management on top of the very data encryption, as required by enterprise users.

Eventually, Seagate and the like recognized this deficit, and teamed up with the Trusted Computing Group (TCG) to develop a vendor-independent standard for self-encrypting hard disks. In January 2009, they finalized the Opal standard and announced it to the public.

But where do we stand today, nine months after release of the specification?

Actually, Opal-compliant hard disks are still few and far between. Fujitsu seems to be able to sell a few models, and also Hitachi.

With Seagate, however, you don't really know. Initially one of the driving forces behind Opal, they seem to have abandoned the standard again, and pursue another proprietary approach, as currently shipped with Dell noteboks. Toshiba announces its Opal hard disks to be available in the 1st quarter of 2010.

Apparently, also the notebook vendors are quite reluctant in adopting Opal hard disks, as the integration requires some adaptations in their BIOS. I haven't been able to find any vendor that aggressively promotes notebooks with Opal-compliant hard disks.

*****

Because it costs money and the corporate types are all about 'NOT' spending it. Even if it does mean safeguarding their customer base. Sometimes you have to wonder where their priorities lay.

In the back room with a floozy or two no doubt.

Well, there's absolutely no excuse in this day and age for not encrypting sensitive info. It's simple. Also, just confirms my thought that people are just plain lazy, cruise in the 'autopilot' mode and then when exploited play the 'victim' and play that to the fullest instead of realizing how they have victimized others through their own carelessness and thoughtlessness.

There might be a tendency to be lazy, but not everyone *is* lazy.

Best regards,
Steven.

What worries me most are the double standards employed by Sony.

When it's their information on the table, such as with the now infamous GeoHotz circus, Sony is quick to the draw and absolutely relenting in their pursuit.  It wasn't until the massive PR backlash and the mass media focus that the 'anonymous' statements brought to the situation that they holstered the Lawyers and settled it out.

However, when their entire customer bases' information is on the table, all they offer up are a few press releases and a helpful reminder to their customers to ensure their own security, all of which amounts to little more than a dusting of the hands.

"Hmm, seems that personal information of yours we had was stolen.  You might want to look into that."

The class action thats mounting against Sony unfortunately won't go terribly far.  Their EULA for the PSN offers them a solid "They knew what they were getting into" defence, unless it can be proven that Sony literally did nothing to prevent - or even possibly made it easier for - the information being stolen.