While Sony says it is still unsure if the hacker who broke into its PlayStation Network and Qriocity Music Service was able to access credit card information, consumer advocates are on high alert.
The potential that criminals could run up fraudulent charges is a logistical nightmare for consumers — even if they won't be held responsible for those bills. But beyond the consumer impact of this data breach, which is one of the largest on record, corporate America is bracing for a potential impact.
While credit card providers might seem the most at risk, it's actually retailers who will take the brunt of the loss from any potential fraudulent charges.
"For the banks and credit card companies, it will be a major hassle, but the fraud that happens as a result of data that is stolen from an e-commerce provider accrues to the retailers," says Avivah Litan, vice president and distinguished analyst at Gartner. "If Sony had been a retailer who had physical card data, (credit card companies and banks) would fine Sony for it, but when it happens to an e-commerce firm, all of the costs go to the retailers, and the banks protect themselves."
To date, credit card companies say they've been hearing the same thing as consumers: It appears no card information was stolen, but Sony cannot say so definitively. Because the situation is still uncertain, they declined to speculate on any hypothetical situations, but each have fraud processes in place that are designed for these sorts of situations.
"It certainly has bigger implications for Sony, because everything is networked. Sony is one of the top brands in consumer electronics and it needs to be reliable."
"It's in everyone's best interest to minimize the fraud," says Marina Norville of American Express. "We have a closed loop network, which means we have access to both merchant and card member information — so a lot of times, we're able to stop fraud before it happens."
Ultimately, it may not matter if card data was stolen. With the wealth of personal information that was taken from the PlayStation Network, criminals could easily have future cards issued to them.
That's because people typically use the same passwords on several sites despite warnings against this practice, and they generally pick the same security questions and answers. With that data compromised, even accounts under "fraud alert" are susceptible, since most service providers will ask for answers to your secret question before proceeding with a request.
If the thief has that information, the alert doesn't help.
For Sony's competitors, the short-term impact is muted. The violation of trust has angered many subscribers, who criticized the company for not being transparent in the severity of the breach — but gamer anger tends to burn hot and be forgotten upon release of a 'must have' title.
Microsoft could see a slight bump in subscriptions to its Xbox Live service, but Nintendo is essentially a non-player in the category at present.
The bigger worry, say analysts, is long-term — specifically, how will this impact Sony's reputation as more and more data moves to the cloud? Investors might not be punishing the company's stock today (shares were down about 3 percent in midday trading), but as the digital revolution continues, the shadow of this breach could haunt it.
"It's hard to measure the financial impact a PR disaster like this has," says John Taylor of Arcadia Research. "In many ways, the PlayStation Network is something Sony is still ramping up. It's not a big contributor to Sony's bottom line right now. But, it's a foot in the door … Longer term, it certainly has bigger implications for Sony, because everything is networked. Sony is one of the top brands in consumer electronics and it needs to be reliable."