April, 2011

At last, Sony and all involved in running the PlayStation Network have come clean with exactly what has happened with their network.

For the past few days, all access to the Playstation Network and Qriocity services have been unavailable as they turned off the service to investigate what has happened.

3 minutes ago, the user PlayStationEU on twitter announced a link to their latest blog post (here: click!). The blog post states:

we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.

If you have a Playstation and you’ve signed up for the Playstation Network, it may be wise for you to consider changing your password or authentication details if they are the same on other sites or networks.

This is yet another example of the importance of ensuring your passwords are not all the same for every service. If you can use a three-word-phrase instead, use a three-word-phrase. For example, the password “abc123” is nowhere near as secure as “my dog smells”.

A School in Oldham has breached the Data Protection Act after the theft of an unencrypted laptop from a teacher’s car, the Information Commissioner’s Office (ICO) said today.

The laptop contained personal information relating to 90 pupils at the school.

The school reported the breach to the ICO in January after an unencrypted laptop was stolen from the boot of a teacher’s car when parked at their home overnight. The ICO’s enquiries found that the school was unaware of the need to encrypt portable and mobile storage devices, although it did have a policy in place informing staff that storage devices should not be kept in cars when away from the school premises.

The Head Teacher of Freehold Community School has signed an undertaking to ensure that portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted using encryption software which meets the current standard or equivalent.

Staff will also be trained on how to follow the schools policy for the storage and use of personal data and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.

The ICO has produced guidance for schools, colleges and other educational institutions explaining their obligations under the Data Protection Act which can be found on the ICO website here.

NHS Birmingham East and North breached the Data Protection Act by failing to restrict access to files on their IT network, the Information Commissioner’s Office (ICO) announced today. The breach led to some NHS staff at their own Trust and two other NHS Trusts nearby potentially being able to access restricted information.
NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local Trusts.

The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.

The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.