May 3, 2011, 3:41 PM

Sony data breaches highlight the fraud risks online retailers face

If hackers stole credit card numbers, criminals will have more data to work with.

Don Davis

Editor in Chief

Lead Photo

The theft of consumer data from Sony Corp. underscores the fraud threat facing online retailers, although whether this breach will directly impact e-retailers largely depends on whether credit and debit card numbers actually were stolen, experts say.

Sony Corp. reported last week that hackers had broken into its PlayStation Network and stolen information about some 77 million customers, including names, street addresses, e-mail addresses and dates of birth. Sony officials said over the weekend that up to 10 million credit card numbers could have been compromised. While they don’t know if the hackers accessed those card numbers, they said, “We cannot rule out the possibility.”

Sony also announced today a second breach in which hackers stole personal data on 24.6 million accounts from the Sony Online Entertainment system. Sony said the data stolen could have included 12,700 non-U.S. credit and debit card numbers and information about 10,700 customer bank accounts in Europe.

The theft of personal information will likely lead to more phishing e-mails, in which criminals attempt to extract confidential information from consumers by pretending the e-mails they send are coming from a reputable organization, such as a bank or retailer, says David Montague, president of The Fraud Practice LLC, a consulting firm that specializes in card-not-present and online fraud prevention. Consumers who fall for those scams could face losses, such as from unauthorized withdrawals from their bank accounts. But this is not a direct threat to retailers, Montague says.

The direct threat would arise if credit and debit card numbers were in fact stolen from Sony, whose PlayStation Network allows consumers to play video games with other online gamers and to stream entertainment content for a fee.

When large numbers of credit card numbers are stolen, there are more available for sale and fraud attempts increase, Montague says. “You definitely did see that from the TJ Maxx breach,” he says. “The supply went way up, pricing went way down, so the number of attacks increased.” TJX Cos., operator of such retail chains as T.J. Maxx and Marshalls, disclosed in 2007 that hackers had broken into its network and stolen as many as 94 million Visa and MasterCard payment card numbers.

There have been so many such thefts of payment card numbers that retailers have to consider every credit and debit card number suspect, says Jonathan Penn, an analyst at Forrester Research Inc. “There are new incidents we learn about every week, and there are many others we don’t learn about,” he says. “Anything could be compromised at this point.”

Penn says retailers should avail themselves of the latest fraud-fighting techniques that vendors are offering. As examples, he pointed to Ethoca, which aggregates data about fraud from many retailers, and iovation, which compiles a database of computers associated with fraud.

The payment card networks also do their part to reduce fraud when card numbers are exposed. In a statement on the Sony PlayStation breach, Visa Inc. said, “If the investigation finds that card data was put at risk, Visa will notify card issuers about compromised accounts so they could take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.” Credit card issuers, mostly retail banks and entities like American Express, think twice about reissuing millions of card because each new card they send out costs them about $30, Penn says.

Part of the Sony PlayStation Network service includes streaming of movies and TV shows from Netflix, No.  14 in the Internet Retailer Top 500 Guide. But a Netflix spokesman dismissed a suggestion that Netflix account information might have been compromised in the attack on Sony, saying there is a separate sign-up process for the two services.

Comments | 1 Response

  • Don this was a super timely piece. You beat several pubs to the punch. And Penn hit the nail on the head. These crooks are going to start using this data – but by merchants working together to share this intelligence and having a link to law enforcement, the community can detect the patterns and assist merchants in protecting themselves. By sharing data, merchants can see the trends quickly and effectively. As you reported in a January 2011 article on Ethoca's Crosstalk report, a criminal armed with a stolen credit card is likely to use it to make fraudulent purchases at more than one web merchant. Ethoca's research shows not only the importance of sharing data, but how quickly it needs to be shared in order to be effective, and what kind of difference it makes to share it across industries. That's why merchants who share data should do so in real-time or near real-time. With speed, digital goods and services can be shut down before the thief is able to get or use them. If readers here aren't already participating in the global effort to stop ecommerce fraud through managed data sharing, it's easy to get started at (the service is currently free). -- RD

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!




Relevant Commentary


Seth Barnes / BLOG_ROOT

Commissions are for closers

A executive responds to an Internet Retailer article describing a web merchant’s decision to ...


Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...