There’s a lesson to be learned from the Sony PlayStation Network debacle. When a high-tech company like Sony can’t keep subscribers’ personal information confidential, how can we trust relatively small businesses to do so? Sony announced, after keeping its corporate mouth shut for a week, that someone hacked into its data base and gained access to, oh, just about 77 million personal files that include names, addresses, phone numbers, birth dates, passwords, login IDs, and may have also have grabbed credit card numbers and expiration dates. In other words, their PlayStations may turn into “PlagueStations”.
In a moment I’ll offer some advice to PlayStation Network users. But first let’s talk about what kind of information people should be sharing with commercial companies.
In 1998 or thereabouts, when I was the consumer reporter for a TV station here in the Bay Area, I received a call from a distraught viewer who, while passing a dumpster, noticed that the bin was overflowing with bundles of what appeared to be application forms. It turned out they were forms for consumers who wanted to rent tapes from Blockbuster Video. Each form contained the customer’s name, address and credit card number. The forms also asked for driver’s license and Social Security numbers. Remarkably, most of the applicants had filled in those spaces as well, although doing so was optional. Anyone passing that dumpster could have obtained personal information on thousands of people and gone to town exploiting this vital info. Many of these applications had been completed by educated and professional people.
Fortunately, as soon as we aired the report “live,” both Blockbuster’s regional manager and the Campbell, California police force showed up to secure the site. The upshot is this: your information is never secure. So the more of it you share, the more likely you’ll have your identity stolen and by nefarious nabobs of negativism (shout out to the late Spiro Agnew). Why would Sony need a person’s date of birth or phone number?
This is the advice, in part, that Sony is giving its customers:
“At no charge, U.S. residents can have . . . credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file.”
Users are advised not to respond to emails and phone calls that ask for personal information and that they carefully monitor their credit card statements for irregularities; unfamiliar charges in particular.
Last week, I wrote that OSH (Orchard Supply Hardware) stores in California now require that customers allow OSH personnel to run consumers’ driver’s licenses or military ID or passport through a card reader when returning purchases. When challenged, OSH says its database is secure. Evidently, OSH is doing this in order to track customers who return a lot of purchases. After all, it could be tempting for someone with compromised ethics to “borrow” tools or pieces of furniture and return them after briefly using them. But why does a retailer need my name, license number, address, birth date, hair and eye color, and weight in order to credit a purchase back to the same card I used to begin with?
And how trustworthy is OSH’s security? The Pentagon has suffered several cyber breaches of security during the last four years. Four years In December of 2007, a hacker gained access to the personal information of 800,000 UCLA students, staff and alumni. I guess OSH knows something about security that Sony, the Pentagon and UCLA have been unable to master.
My advice is not to give out more personal information than is necessary. I’m not sure why Sony would need anyone’s date of birth or address, for instance. Social Security numbers should rarely be required, usually only where and when required by law, as with financial records.
As for OSH’s driver’s license requirement for returns, it’s goodbye OSH, hello Ace Hardware.