There has been a lot said about the PlayStation Network hack, enough to warrant its own Wikipedia page. With a calculated total of 77 million accounts affected, and a breach that has compromised both personal and sensitive financial details, this has been a PR disaster of epic proportions for Sony. In the competitive and profitable console market, this may very well taint the Sony brand forever, even if the network is back online at the end of May as reported.
There is little left to say as most of the important details have been repeated ad nauseam everywhere. Nonetheless, I wanted to weigh in on some of the wider regulatory aspects of the attack as the incident has personal implications. I am one of the 77 million users who has been affected. More than not being able to play FIFA 2011 online, or not being able to co-operate in Portal 2, the hack has meant that I have been monitoring my bank account closely just in case. This is a minor annoyance that I could do without, and I am sure that I am not alone in this.
The legalities of the breach are quite straightforward regardless of jurisdiction. I would say that this falls under several criminal types in most systems that I am familiar with. This would be covered mostly under normal anti-hacking legislation as it clearly involves an unauthorised access to a computer system. If the hackers are caught, there will be enough law to put them behind bars. From Sony’s side, the lawsuits have already started landing in several countries, and I would expect this to continue in the near future.
What really interests me is that this is just another episode of the ongoing unspoken war between the Internet fringes and the establishment, a phenomenon that has been covered in these pages before. Initially, a hacker code-named Geohot was blamed, but he denied it by saying that “hacking into someone else’s server and stealing databases of user info is not cool.” Speculation quickly moved from individual hackers to Anonymous, and the big question seems to be whether the collective was involved in the hacking incident. Anonymous has denied involvement, but various pieces of evidence have emerged that point towards some level of guilt. Firstly, Sony has said directly that it believes Anonymous was involved. In a letter to the U.S. Congress Subcommittee on Commerce, Manufacturing and Trade from Sony Executive Kazuo Hirai, the following statement was included:
“Sunday’s discovery that data had been stolen from Sony Online Entertainment only highlights this point. When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file on one of those servers named “Anonymous” with the words “We are Legion.” Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous.”
So, the perpetrator left a calling card. This is damning evidence, but anyone could have done it. The Financial Times then broke the news that it had obtained information from two former Anonymous members that those involved were likely part of SonyOp, an Anonymous operation. The current state of intelligence is that Anonymous as a group may not have been involved, but that individual members might.
All of this is important because for quite a while now we have been saying that perhaps authorities should be taking Anonymous more seriously. While there have been some arrests, it seems like the larger group has continued to go about their Denial of Service business untroubled. However, identity theft and being involved in a large-scale data breach involving millions of credit card details could get the group in serious trouble if it was proved that they participated in the PSN incident in any form.
I predict that regardless the level of involvement by Anonymous, we are long overdue a real crackdown on their operations. With higher profile comes greater responsibility, and we may very well get to see just how effective old-world enforcement can be against a massive Internet collective.