Sony PlayStation hack hits over 700,000 Australians

Sony's PlayStation hacking incident has affected around 715,000 local consumers, in one of the largest security and privacy breaches ever to hit Australian shores.

With credit card details amongst the information that could have been stolen by hackers, the NSW Police fraud squad advises users to check with their issuing bank before deciding whether to cancel their cards.

The Australian Federal Police has warned that if customers' personal data was hosted offshore, it would not be protected by Commonwealth law.

However, banks have been quick to allay fears, saying customers will be compensated for any "genuine fraud cases".

As reported earlier, Sony Computer Entertainment Australia said personal details such as names, billing and email addresses, and birthdays is among the information that hackers may have acquired during the security breach, which occurred between April 17 and April 19.

But it took the electronics and gaming giant more than a week to come clean on the hacking.

The company has yet to confirm where Australian customer data is stored with a spokesman saying: "Due to the current security related issue, we are unable to provide further details in regard to global network data or systems."

Globally the incident has potentially affected up to 77 million account holders.

The AFP said it was unaware of the full details or the number of local users affected, as the matter had yet to be referred to the agency.

However, if Sony held account holders' personal information overseas there was little legal recourse.

"We are unaware how many Australians have been caught up in this matter," an AFP spokeswoman said. "At this time we do not have any details on where the data was held or compromised.

"Should the relevant data be held outside Australia, is it likely that there is no applicable Commonwealth offence."

According to a local Sony spokeswoman, there are over 1.1 million PlayStation 3 devices in Australia -- approximately 715,000 people are connected to the PlayStation Network, which gamers use to spar online and purchase services like movie downloads.

NSW Police fraud squad commander, Detective Superintendent Colin Dyson, advised customers to speak with their bank and monitor activity on their credit card accounts.

Det Sup Dyson however did not push users into cancelling their credit cards in the first instance: "I wouldn't advocate cancelling a credit card before speaking to the bank."

NSW Police would not be conducting a separate investigation, he said. The relevant overseas agency in the jurisdiction where the offences occurred would investigate and other law enforcement agencies would be asked to assist.

Det Sup Dyson said that apart from credit card fraud, the main risk posed by the PlayStation hacking was phishing -- online criminal gangs would seek to augment the personal information they had obtained, until they had enough details to commit crimes.

"Based on the advice so far, the risk would be fairly low but they could use the information they have to commit identity crime," he said. "They could sell the information to other criminal gangs that use it. Personal information in itself is a commodity online.

"Other criminal networks could use social networking sites to accumulate more personal information."

To avoid identity theft, users should change their credit card PINs monthly, monitor credit card statements for unauthorised usage, and change online passwords and usernames regularly, Det Sup Dyson said.

The Australian Bankers Association said banks were working closely and co-operatively with all law enforcement officials and had well-developed systems in place to minimise fraud.

"Generally in circumstances such as these, when there is a security breach involving a company, banks will assess the information from the company involved, information provided by the card schemes and information provided by law enforcement officials regarding the risk of fraud to customers," said Steven Münchenberg, ABA chief executive.

"According to the (Sony) website information provided, there is no confirmation that card data has been compromised.

"Banks advise that there are no reported cases of fraud linked to the Sony event."

Mr Münchenberg said Australian bank customers were protected from loss in "genuine credit card fraud cases".

"Account holders are not liable for losses resulting from unauthorised transactions where it is clear that the user has not contributed to the loss," he said.

Banks were working together, and with law enforcement agencies and the card schemes, to detect any change in the fraud risk.

"Banks have security systems in place to constantly monitor transactions and if a transaction is identified as suspicious, it will be investigated to ensure there is no breach of security," Mr Münchenberg said.

"Occasionally, this may involve a bank staff member contacting you to verify a transaction.

"In the event that fraud does result, then the banks will be in contact with their customers to assist them."

MasterCard said it had no information indicating that its account data was at risk from the PlayStation breach.

"In the event that any MasterCard payment card data is found to be at risk as a result of the breach, MasterCard will work to notify card issuing banks of at-risk accounts so they may take steps to protect cardholders," a MasterCard spokeswoman said.

Visa was also working with relevant financial institutions to assess risk and take action.

"This may include reissuing cards if required," a Visa spokeswoman said. "As always, cardholders should ensure that their card issuer has their up to date contact details.

"It's important for Visa cardholders to know that they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy."

(Published by The Australian - April 27, 2011)