This past week we've seen the results of two intrusions in Sony's networks. One intrustion of the PlayStation Network resulted in the exposure of the private data for over 77 million customers, including credit card information. A second intrustion into the Sony Online Entertainment division resulted in the exposure of nearly 25 million more user accounts and their data.
Sony was not immediately forthcoming with details, and chose to shut down their networks completely for several days in order to try cleaning up the damage. Sony claims the credit card information was encrypted, yet shortly after the intrusions some of the credit card information was put up for sale. Sony denies this, of course, but then again Sony has a history of lying to their customers and the public.
Sony isn't the only company that has been hacked recently. In 2009 and 2010, there were a rash of corporate attacks against Google, Adobe, and dozens of pther high profile companies, ostensibly to collect software code and personal data from their customers. The problem, however, is that companies are not forthcoming about how severe the attacks were and how much data was compromised.
While it's true that many security exploits and intrusions are the result of trojans and viruses, social engineering plays a big part in the exposure of data. Hackers can pose as employees of a target company, and talk their way into getting login information from a naive employee. After that, the doors are wide open.
It's really time for a major change in the way our personal, private data is handled. How many times do we have to read in the news that a worker for the Social Security Administration or the Internal Revenue Service lost a laptop containing the private data for millions of people? Or credit card companies? Or companies that don't bother to shred printout of critical customer data and just toss it into a dumpster behind the corporate office?
This needs to stop. We need to take back our data from companies that are unwilling and unable to protect it. Most of these companies do not need to store our personal information. In fact, all they need to certify is that we've paid for their services. They don't need to have our credit cards on record. They don't even need our names, addresses, phone numbers, birth dates, social security numbers, etc.
All they need is an encrypted hash that resolves to a customer ID number. Let us, the people, hold our own data. The companies would then recieve payments from our banks to them, attached to that encrypted ID number. Banks would not store this number, except perhaps on the monthly statement showing that the payment was made.
Start fighting back now. Demand that online stores stop hanging on to our credit card information. If a website asks you to store the information online for future use, DON'T DO IT. If an online store allows you to shop as a guest instead of signing up for another user account, do it. Every time you give companies your info, you make it easier for someone else to steal it and steal from you.