Select one of the cases by completing Data Breach choice. Once you have made your selection, you will be able to see the links to the case.
Then complete a breach checklist as discussed in the lecturecast (reproduced below):

• What types of data were affected?
• What happened?
• Who was responsible?
• Were any escalation(s) stopped - how?
• Was the Business Continuity Plan instigated?
• Was the ICO notified?
• Were affected individuals notified?
• What were the social, legal and ethical implications of the decisions made?

If you had been the ISM for the organisation you selected what mitigations would you have put in place to stop any reoccurrences?

Sony PlayStation Network

What types of data were affected?

names, addresses and possibly credit card data belonging to 77 million user accounts people’s names, addresses, email address, birth dates, usernames, passwords, logins, security questions and more

What happened?

He suspected the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony’s customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC. Paller said Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat.

Who was responsible?

unknown

Were any escalation(s) stopped - how?

They shut down the network service and waited few days before notifying their customers about the data breach

Was the Business Continuity Plan instigated?

Sony said it has hired an “outside recognized security firm” to investigate.

Was the ICO notified?

unknown

Were affected individuals notified?

After they shut down the entire network, Sony waited few days before notifying everybody.

What were the social, legal and ethical implications of the decisions made?

Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement. “They have to innovate rapidly. That’s the business model,” Paller said. “New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making.” If you had been the ISM for the organisation you selected what mitigations would you have put in place to stop any reoccurrences? We will be discussing these case studies and associated activities in this week’s seminar. There will also be an opportunity to review your team’s progress during the seminar. The online network was launched in the autumn of 2006 and offers games, music and movies to people with PlayStation consoles. It had 77 million registered users as of March 20. I would have launched anyway the network because I understand they have target timing to meet to be innovative in this busy market. However, knowing that we launched a network not totally secured, I would have work on it and prioritise patched updates to maximise the security of the data after the launch.