In the e-mail from PlayStation Network, I was informed that at sometime "between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network." I was well aware of this thanks to extensive media coverage of the network hack. Sony Network Entertainment took ten days to send me their notice. In their e-mail, the PlayStation Network team "regretted any inconvenience" that had been caused, but they never said they were sorry for allowing my data to be stolen.
In reality, most of the information I'd registered at the site was false. I would never register a correct birth date, name spelling or address — although the hackers do know where I play from, my user name, password and e-mail. I never used a credit card at the site either, although friends in Canada who did so felt it was smart to cancel and reissue their credit cards. That was not done on the recommendation of Sony. PlayStation Network's e-mail advised people to "monitor" their credit card statements. Yes, just wait until nasty charges appear on the credit card bill, and then try to get them removed and the card canceled.
Sony is now being sued in the US for the PlayStation Network breach. That's excellent. Companies too often don't invest enough in security, thinking such expenditure eats into profits. The huge sums Sony will spend fighting the lawsuits should encourage other international firms to reexamine their client data security measures.
Sony was forced to reveal the data breach due to the regulatory environment in which they operate and to avoid even costlier lawsuits. What would happen in Saudi Arabia if a private company had a data breach? I suspect that nothing would ever be told to the individuals involved and if they did find out, they'd have no recourse.
This is a growing concern. A few months ago, I went to a private housing compound near Half Moon Bay in Alkhobar. To visit a resident living in that compound a guest must allow his or her national ID to be copied, provide full address and telephone information and be photographed. I was told the data would be held indefinitely. I refused to comply, apologized to my friends and left. Then last week, a private hospital in Alkhobar insisted to scan my fingerprints. In the future, access to my medical records at that hospital will only be allowed by fingerprint match — even though I can produce a national ID which should be enough identity confirmation anywhere. I asked hospital staff what security was in place for holding such sensitive biometric data as my fingerprints. Nobody would tell me. They probably didn't even know.
For years, private companies in Saudi Arabia from telcoms to banks have been demanding to photocopy our national IDs and keeping them on record. Now they want to start holding our biometric data. Recently, the government implemented extreme measures to prevent Saudi IDs from being counterfeited. However, there has been no directive to private entities to stop collecting and holding sensitive ID data. There is a desperate need to set up a Saudi government agency responsible for providing instant identity authentication as a service for private organizations. It would cost the government nothing, since the service would be funded through fees paid by the commercial entities that use it. It should also become illegal for private companies operating in the Kingdom to hold national ID or biometric information. These measures would protect citizens and residents from the misery and expense of identity theft and enhance the nation's security both in the real and virtual worlds.
