For the few of you left who still trusted Sony, now comes news of yet another massive data breach, this time for Sony Online Entertainment (SOE) users. SOE is their online multiplayer games offering. It sounds like a similar issue to the PSN hack, again with lots of data being taken. Making matters worse, apparently for players outside the US, Sony kept credit card numbers and/or bank details in an "outdated database" (read, one not properly secured or encrypted, apparently). And... Sony is now admitting that the breach occurred a few weeks ago, so this info has probably already been put to use. So, we've got the rootkit, the PSN and now the SOE issue. Who actually willingly pays Sony for anything any more?

Whoever is filing class action lawsuits against Sony for the PSN hack may want to pay attention to a totally different case in Northern California. You see, for years, we've noted that judges will toss out lawsuits about data breaches if the person suing can't show any actual harm. It's happened again and again and again. To some extent, you can understand the reasoning: if your data wasn't used to cause you any harm, should you really have much of a legal leg to stand on?

But, of course, the problem with that is that it lessens the damage that can hit companies for being downright careless with your private data. However, this case in the Northern District of California, involving Alan Claridge suing RockYou, has gone differently so far (found via Michael Scott), because Claridge made a different kind of argument:

While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII [personally identifiable information], and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”

The court is still skeptical of the argument, but is at least willing to hear things out. In other words, this is still very early, and it's at the district court level, so those who like this argument shouldn't get their hopes up yet. But, it's certainly making it a case worth watching.

And I'd be remiss in not mentioning that this is the kind of thing that we'll almost certainly be discussing at our upcoming dinner salon, since it very much taps into the theme of how companies need to act when their "customers" are also their "product," in terms of the information and data they collect...

With Sony admitting that its PlayStation Network was hacked and that lots of personal info was accessed, you knew the reaction would be swift. Within a day we have class action lawsuits being filed and new laws being proposed. I agree that it was monumentally stupid of Sony to store passwords as plaintext rather than as hashes, which certainly leaves room for negligence claims, but will laws really make a difference? About the only reasonable response from a government official has been White House cyber boss Howard Schmidt (who has a history of being more reasonable than many of his colleagues), who noted that getting hacked is a risk of doing business, and it's not worth overreacting to Sony's situation:

"It's still a situation where specific incidents make it something it's not," he said. "Things make headlines that are just the risk of doing business in many cases."

But, of course that won't satisfy the class action lawyers or the politicians who are all over this. Beyond the plans to introduce laws, we've already seen that Senator Richard Blumenthal, who was a massive grandstander as Connecticut Attorney General, has continued his grandstanding ways with a public "demand for answers" from Sony.

We had avoided discussing what was going on with the PlayStation Network hack and subsequent downtime until more details were known, and now Sony is finally revealing what many people feared: a ton of personal info was leaked. According to Sony's blog post, among the information that hackers got was:

• Name
• Address
• Country
• Email
• Birthdate
• PlayStation Network/Qriocity password and login

Sony claims it's not sure yet, but that it "cannot rule out," that credit card info and password security answers may have also been included. To deal with that, they're saying people should assume that such info was compromised. So far, Sony's plan is to tell you to stay alert:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

You hear that sound? That's the sound of a whole bunch of class action lawsuits being filed against Sony as we speak. I'd like to say it's a huge surprise that Sony would even store passwords and credit card data in a place where it could easily be extracted like that, but it's really not. This, after all, is the company that made the word "rootkit" famous, and spent the last few months wasting more resources in a quixotic legal campaign against a guy who added back a feature to the PS3 that Sony had deleted. Perhaps if it spent a little more time actually protecting its users rather than fighting silly battles, there wouldn't be issues like this.

As you may recall, Sony decided to delete its OtherOS feature on PlayStation 3 devices, despite it being a key selling point for many. It was a rude reminder that thanks to today's laws, sometimes you don't really own what you think you own. Of course this has also resulted in a class action lawsuit against Sony (and, less directly to Sony's legal attack on Geohot for restoring the feature). However, Slashdot points us to the news that the Finnish Consumer Complaints Board has said that Sony should pay 100 euros to a guy who complained about the deleted feature:

The CCB said that the removal of OtherOS crippled console features that were present at the time of purchase, and agreed that consumers should be compensated. It recommended that the manufacturer and seller of the console pay €100 jointly to compensate the man.

Unfortunately, it appears that the Consumer Complaints Board has no enforcement ability... but that its rulings are frequently used by courts in dealing with disputes. Thus, it seems that Finnish PS3 owners might want to see if they can start some sort of legal action to get their €100 back from Sony for taking away a key feature that was used in marketing the PS3.

When George Hotz (Geohot) settled the lawsuit Sony had filed against him for jailbreaking the PS3 in order to restore a feature that Sony had taken away (despite advertising it), many were upset. Part of the reason people were upset was that he had asked for donations, and insisted that he would fight Sony until the end. Those people wanted to know what would happen to the money they donated. Geohot has now said he's donating the remaining cash to the EFF, which hopefully will satisfy those who were upset over that aspect. As I said earlier, unless you've been subject to a lawsuit from a giant company, it's tough to sit there and criticize a guy for settling, rather than fighting to the end. The legal system is set up such that it's a stacked deck against the little guy, so as disappointing as it may be not to get a full ruling out of this, it's hard to fault Geohot.

Via Slashdot, comes the news that a bunch of George Hotz' (geohot) supporters are angry he decided to settle with Sony, as we recently discussed. Part of this is due to some of Geohot's own bluster during the lawsuit, including this statement:

"What if SCEA tries to settle? Let's just say, I want the settlement terms to include OtherOS on all PS3s and an apology on the PlayStation blog for ever removing it. It'd be good PR for Sony too, lord knows they could use it. I'm also willing to accept a trade, a legit path to homebrew for knowledge of how to stop new firmwares from being decrypted."

So, you can see why some may be upset that he didn't back that up. Others were more upset about the fact that they contributed money to his defense fund in the belief that he would fight the lawsuit. I can understand why some are angry, but I think it's tough for people who haven't faced a lawsuit to recognize the stress that being sued puts on a person. Even if I hope someone will often "fight the good fight" on a particular legal issue, it's usually difficult to fault an individual for settling if a reasonable opportunity presents itself. Yes, this will often prolong certain problems, but it's unfair to expect a single individual to take on a larger issue sometimes.

Sony has been getting widely slammed across the gaming and tech press for its bizarre and self-destructive lawsuit against George Hotz (Geohot), for jailbreaking the PS3 in order to re-enable a feature that Sony had long-advertised, but then deleted off of people's existing PS3s. The entire lawsuit made little sense, and Sony's quixotic attempt to continue to pursue it just got more and more bizarre, with the company even seeking and gaining access to the IP addresses of people visiting his website or watching the YouTube video he put up. However, it appears that the two sides have now settled their lawsuit, with Geohot agreeing to an injunction of some sort that apparently bars him from helping make PS3s more valuable in the future. Congrats, Sony, you've made your gaming devices less valuable. Quite a legal "victory" there...

Sony continues its crazy, pointless and damaging attack on George Hotz (Geohot), the guy who jailbroke the PS3 to add back in functionality that Sony itself used to offer, but disabled. The latest move is to accuse him of skipping the country to South America, implying he took money raised in donations to flee. Geohot has responded by noting that it's Spring break and he's on a vacation that he planned months ago. Sony also freaked out about the computer equipment that Hotz recently was forced to hand over, saying that it had been sabotaged by Hotz. The company claimed that Hotz had "removed integral components." However, Geohot's lawyer pointed out that Sony was completely overreacting, noting that the hard drives just didn't have the controller cards attached, which is hardly sabotaging the drives.

It looks like Sony's quixotic strategy of suing George Hotz (Geohot) for jailbreaking the PS3 is starting to cost the company in additional ways as well. Todd McDermid points us to the news of how another hacker, Koushik Dutta, who has quite a strong reputation in various circles, has rejected overtures from Sony PlayStation division for a job specifically because of Sony's attack on Geohot: It seems likely that the lawyers and execs at Sony who thought this whole legal strategy was a good idea didn't think through some of the consequences of their actions in terms of attracting new talent.