Back to News & Commentary

Sony Learns the Hard Way that Protecting User Privacy Is Not a Game

Chris Conley,
Policy Attorney,
ACLU of Northern California Technology and Civil Liberties Project
Share This Page
April 28, 2011

Less than a week after the revelation that Apple's iPhones and iPads keep location data logs, Sony a doozy of a privacy snafu of its own: a recent security breach on its PlayStation Network resulted in the loss of records of some Sony customers. There are still more questions than answers about the breach itself, but we can already identify two ways that Sony dropped the ball: failing to use before the breach, and failing to . We should expect better from companies with whom we entrust our personal information.

It's not yet clear whether the breach captured users' credit card numbers (though many users have ), but it did expose not only personal information (name, street address, email address, birth date) but also the user's login name and password. This simply shouldn't happen. As one security blog put it: ""Unfortunately, it appears Sony may have done just that, turning an already-serious data breach into an "."

Compounding the problem, Sony apparently learned of the breach on April 19, but didn't . Instead of promptly coming clean and doing its best to protect users, Sony's delay put users at additional risk. Doing so has attracted the ire of Sen. Richard Blumenthal of Connecticut, who chastised the company for the "," and has already triggered one against the company.

Sony has suggested a few things that affected users should do to protect yourselves:

  • Change your password on any other site that has the same or similar password as your Sony account, and change your Sony password as soon as the network is restored.
  • If you have a credit card associated with your Sony account, watch your account for fraudulent activity and consider placing a fraud alert with credit reporting agencies.
  • Be particularly suspicious of any contact (phone call, email, etc.) requesting your personal information, including any requests appearing to come from Sony.

If you're a PlayStation Network user, these seem like good steps to take. But Sony also needs to do a better job of protecting this information in the first place. If companies want us to entrust them with our personal information, they need to earn that trust by , including joining us to push for modernized privacy law. Hopefully Sony's painful lesson will encourage them and other companies to do the right thing now and avoid repeating this experience later.

Learn more about digital privacy: Subscribe to our newsletter, , and .

Learn More About the Issues on This Page