The theft of consumer data from Sony Corp. underscores the fraud threat facing online retailers, although whether this breach will directly impact e-retailers largely depends on whether credit and debit card numbers actually were stolen, experts say.
Sony Corp. reported last week that hackers had broken into its PlayStation Network and stolen information about some 77 million customers, including names, street addresses, e-mail addresses and dates of birth. Sony officials said over the weekend that up to 10 million credit card numbers could have been compromised. While they don’t know if the hackers accessed those card numbers, they said, “We cannot rule out the possibility.”
Sony also announced today a second breach in which hackers stole personal data on 24.6 million accounts from the Sony Online Entertainment system. Sony said the data stolen could have included 12,700 non-U.S. credit and debit card numbers and information about 10,700 customer bank accounts in Europe.
The theft of personal information will likely lead to more phishing e-mails, in which criminals attempt to extract confidential information from consumers by pretending the e-mails they send are coming from a reputable organization, such as a bank or retailer, says David Montague, president of The Fraud Practice LLC, a consulting firm that specializes in card-not-present and online fraud prevention. Consumers who fall for those scams could face losses, such as from unauthorized withdrawals from their bank accounts. But this is not a direct threat to retailers, Montague says.
The direct threat would arise if credit and debit card numbers were in fact stolen from Sony, whose PlayStation Network allows consumers to play video games with other online gamers and to stream entertainment content for a fee.
When large numbers of credit card numbers are stolen, there are more available for sale and fraud attempts increase, Montague says. “You definitely did see that from the TJ Maxx breach,” he says. “The supply went way up, pricing went way down, so the number of attacks increased.” TJX Cos., operator of such retail chains as T.J. Maxx and Marshalls, disclosed in 2007 that hackers had broken into its network and stolen as many as 94 million Visa and MasterCard payment card numbers.
There have been so many such thefts of payment card numbers that retailers have to consider every credit and debit card number suspect, says Jonathan Penn, an analyst at Forrester Research Inc. “There are new incidents we learn about every week, and there are many others we don’t learn about,” he says. “Anything could be compromised at this point.”
Penn says retailers should avail themselves of the latest fraud-fighting techniques that vendors are offering. As examples, he pointed to Ethoca, which aggregates data about fraud from many retailers, and iovation, which compiles a database of computers associated with fraud.
The payment card networks also do their part to reduce fraud when card numbers are exposed. In a statement on the Sony PlayStation breach, Visa Inc. said, “If the investigation finds that card data was put at risk, Visa will notify card issuers about compromised accounts so they could take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.” Credit card issuers, mostly retail banks and entities like American Express, think twice about reissuing millions of card because each new card they send out costs them about $30, Penn says.
Part of the Sony PlayStation Network service includes streaming of movies and TV shows from Netflix, No. 14 in the Internet Retailer Top 500 Guide. But a Netflix spokesman dismissed a suggestion that Netflix account information might have been compromised in the attack on Sony, saying there is a separate sign-up process for the two services.