Thursday, May 19, 2011

Sony Causes Veterans/Police Officers to be Concerned



I'm spontaneous, compulsive and addicted to these fee based MMO's. But I only play on PC and don't use consoles.


Console and PC users alike had one thing in common, a credit card. It was a required condition that you use to have the ability to access the online only games. Some game developers would allow the user to use a game card that you purchase online via a credit card or buy in retail stores like Walmart, Target, Gamestop, etc.

I've always assumed that these companies protected our credit card and personal information much as any financial institution would. The assumption was wrong!


On April 17th 2011, hackers bypassed Sony's security and stole all their customers personal information. The information included (but not limited to) name, address, date of birth, email address and credit card number. Some users even had their bank account information stolen. This information was required in order to activate a monthly subscription on both the PC and game console.


Sony violated the trust of it's users even further by not disclosing publicly what had transpired. It's in my opinion that people should have been notified immediately regardless of the companies reputation or loss of sales as a direct result of this breech. It has now backfired, and due to not notifying me and other users faster, I have decided to never again purchase anything with the Sony name on it's packaging or a company with any direct affiliation with them. I am furious that they allowed my personal information to get out in the hands of those that can only have malicious intent in mind. Who knows, perhaps their intent was to punch Sony in the nose and nothing more. Only time will tell. It's well known by many gamers that Sony could care less about it's player base anyway. It's all about money and everything else is secondary. Including thier reputation!

On May 3rd I received an email from Sony stating I had in fact been a victim of this breech. They went on to say my credit card info was not likely stolen and is stored in a different location. The letter states we should contact the three credit reporting bureaus and discuss option. They also recommend putting some sort of security block on our credit? I'm not sure how that work but whatever it is, I cant afford it. I have a small fixed monthly income (VA disability) and it doesn't allow for things like this. And I've already used my once a year free credit report so would have to pay for a new report. It's just bad timing financially. My car, this, that and the other prevent me from sinking hundreds of dollars into this... breech problem.

I should not have to do any of this!! I trusted them to keep my information secure.

I'm very upset that I'm being forced into a position where I have to not only worry about my financial security, but my personal security as well. They have my email address. A quick google search will result in the hackers knowing I'm an ex-cop. People like to kill cops. That's just how it is. So I fear for my personal safety as well and I'm considering moving as a direct result of this. If this information gets into the hands of organized crime, a lot of bad things can happen to a lot of people.

We're not talking about a few kids here. We're talking about 125 million professional working adults (very few kids). FBI agents, congressman, professional athletes, police officers and not to mention the thousand upon thousands of veterans. That is of particular concern. Veterans acknowledge serving and do so proudly (I have on many occasions). The SOE forums are FULL of veterans stating they kicked in doors in Iraq or Afghanistan. Vietnam vets included, all veterans now have a new risk. Another worry that we shouldn't have to burden! This information can be sold to the highest bidder. You must not assume the only valuable part of the stolen data is credit card numbers. A hit list could be generated like the world has never seen. With a little bit of effort and searching on line, this list can be easily generated via the stolen data. So it's in my opinion that SOE should erase all forum activity since 1999 and the launch of Everquest.

Terrorist organizations and perhaps foreign governments would pay millions for such a list! It would take 10 guys with minimal knowledge of the internet to find out much more about who you are or use to be. A list could be generated in less than a week. And if they had the ability to access Sony's security, what makes you think they cant access state databases (Dept. of Transportation, Treasury or Dept of Human Services for social security numbers) to support the information the already have? Name and date of birth do wonders when typed into a state computer!


Also, as a direct result of this breech, sites like AKO and other US military sites need to force members who play video games to change their passwords. Many of us use the same passwords on all our websites. It would be difficult for me to have a different password for every site I frequent.

Today something unusual happened in Lansing, Michigan. All the computer systems went down for some undisclosed reason. They said ".... statewide computer problem that has affected not just the SOS branch system, but other state departments including Corrections, Treasury, Community Health and Human Services."

If these hackers had the capability to access these databases with just the information SOE had, they could discover your entire life history and obtain your social security number. Department of Corrections is tied in to federal system used for background checks a.k.a. NCIC. I'm quite familiar with this system. A simple few keywords will give you all possible information on someone that you could ever want to know. Hackers logged into Michigan Department of Corrections would have full access to NCIC without anyone knowing until it's too late.

Sony should not have waited to tell it's customers about this. We should have known immediately and had the option of canceling our credit cards, deleting this or that, changing passwords, etc. Instead, they tried to save face and conceal it until there was no other option than to go public. So even if I had canceled my credit card immediately or not, it would have been too late. I've decided not to cancel it based on Sony's press release that they don't believe this card info got into the hands of the bad guys. But if something goes wrong and their wrong, I'm going to be in bad shape.


I want to clear up some stuff I read about "fault". Sony is to blame here, not the hackers. I trusted Sony, as did many others. They become a financial institution the second their trusted with our private information. There should have been sufficient security in place which would have avoided this from happening in the first place!



To make matters worse I discovered something interesting last night. A couple days ago SOE announced that EQ2 was back up and running and that all users were being granted free game time. So I logged on my account to delete my credit card info. What I discovered is Sony erased my last transactions as to make it appear I wasn't an active user or something. It still shows my entitlements granted by recent purchases, but the purchases themselves were deleted out of that part of their website. I'm not exactly sure why, but I got screen shots and receipts to prove I was an active user of SOE services.

Here are some screenies of one of my two accounts.

No Destiny of Velious or other subscription info for the previous year.

I have contacted an attorney and I have every intention of joining this class action suit filed in California. It's not for personal gain, but I believe they should have to pay for their users to set up some sort of "Life Lock" or security for social security/credit card protection. I also believe they should be held responsible for this breech in our personal security and welfare. I'm furious that we were not notified right away. It was over 3 weeks until I got that letter from Sony explaining I was a victim. THREE WEEKS!!! It's too late to do anything about it now. The list is already out there and the damage is done. We just have to sit back and pray that hackers wont steal what little money I have. Meanwhile, I'm shopping for a new place to live.

Notice "Destiny of Velious". It released February 22, 2011.

Gaming history has been rewritten this month. It will never be the same because of Sony's negligent misconduct while handling our personal information. Other things have changed as well...

This is how I found my account. No credit card number to delete.

Who would have ever thought my that bad and compulsive habits would turn into something like this? Perhaps it was the lesson I needed to think twice before being so quick to drop my debit/credit card on things I don't need. A moth drawn to the flame only gets one chance. I'm lucky to be able to say I have a chance to learn from this and grow as a man. I pray that none of the 125 million victims have any irreparable harm from this breech.

Here is the actual letter I received:


HAVING DIFFICULTY VIEWING IMAGES IN THIS EMAIL? View as a web page.
Sony Online Entertainment
Customer Service Notification
May 2, 2011
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained and we will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
We apologize for the inconvenience caused by the attack and as a result, we have:
1. Temporarily turned off all SOE game services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE™'s services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at (877) 382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.
We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at (866) 436-6698 should you have any additional questions.
Sincerely,
Sony Online Entertainment LLC
THIS IS A CUSTOMER SERVICE NOTIFICATION.

SOE Privacy Policy | SOE Terms of Service

www.soe.com
Sony Online Entertainment
Sony Online Entertainment LLC
8928 Terman Court - San Diego, CA 92121