With the number of people exposed in breaches at Sony now topping 100 million, it’s natural to wonder what happens next if your data winds up in the hands of for-profit cybercriminals. The answer is, it probably gets sold for less than the price of first-person-shooter.
Sony this week announced a second breach of its systems, this one targeting Sony Online Entertainment, the company’s game development and distribution arm. Sony uncovered the hack while investigating last month’s intrusion into the PlayStation Network that compromised personal information on 77 million users, included the encrypted credit card data belonging to 12 million of them. The new attack adds another 24.6 million users, with 20,000 credit card and bank account numbers.
In a letter to a House committee investigating the privacy implications of the breaches, Sony on Wednesday pointed the finger at the hacktivist collective Anonymous for the first time. The SOE attacker, the company said, left a file behind named “Anomymous,” containing the familiar tagline “We Are Legion.”
If Anonymous was really behind both intrusions, that could be good news for consumers – the group isn’t known for identity theft or credit card fraud. But the Sony letter also describes the PlayStation Network hackers zeroing in on the customer database. Could for-profit intruders have dropped Anonymous’ calling card as misdirection, like storm troopers leaving gaffi sticks and bantha tracks outside a smoking sandcrawler?
Sony said that so far, credit card companies haven’t seen any fraudulent activity linked to the breach. But if profit, not lulz, was the motive in the attack, then the stolen data will almost certainly be sold eventually, and a global underworld exists just for that purpose.
Vendors advertise their stolen data on web-based “carder” forums, and sometimes operate their own virtual storefronts. But the detailed negotiations over price and quantity often take place in private chats, away from the prying eyes of law enforcement and the public. Read More
