If you’re reading this then the general aspect of it should be nothing new, it’s all over the place from BBC to G4 to CNN, Joystiq, IGN, Engadget, Cnet, newspapers, articles, TV stations – when a multi-billion dollar company gets hacked, trust me you’ll definitely know about it. I’ve compiled this concise article of things that have happened and I will be updating it as news surfaces.
THE WORLD IS A SCARY PLACE
If Sony can get hacked then it’s possible that the only other people who are seriously unlikely to get hacked are Governments and their agencies, and Banks. This might be true if only people believed that Sony had their data securely encrypted and out of harm’s way; but anyway lets skip the small talk, this is a brief rundown of everything as of today 28th April 2011.
Did I mention I bought Portal 2 yesterday for PS3? Did I also mention that I can’t play it? It’s highly possible that you don’t care but you might understand how that feels.
April 4th – Anonymous Issues a Statement to Sony as PSN goes down for “Maintenance”
April 20th – PSN down due to external intrusion
April 26th – PSN Accounts hacking confirmed | Result was dependent on ‘forensic analysis’
April 26th – US Senator Blumenthal questions the efficiency of Sony’s reaction
April 27th – Sony launches a Q&A section regarding the issues
April 27th – Valve says the breach has nothing to do with Steam
April 27th – New firmware will accompany PSN when it goes online
April 28th – PSN Class Action Lawsuit filed
April 28th – Sony Online Entertainment customer data is safe
Update:
April 28th – Geohot responds to PSN breach
April 29th – Your credit card information might be on sale
May 1st – Some PSN services return within a week | Full within a month
April 4th 2011 – PSN goes down for “Maintenance”
The Playstation Network went offline as well as other various websites from Sony (e.g the Playstation Blog) several hours before Anonymous issued a statement to them regarding the actions they took against GeoHot and other hackers.
It was never stated from Sony that these outages were directly related to Anonymous.
April 20th – PSN down due to external intrusion
PSN was “taken down” on April 19th by Sony due to an external intrusion and although Anonymous did take responsibility for the downtime that took place on the 4th of April due to their DDoS (Distributed Denial of Service) attacks but they denied having any involvement in the events that lead to this downtime.
Sony’s senior director of corporate communication and social media, Patrick Seybold issued the following statement:
“An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”
April 26th – PSN hacking confirmed | The forensic analysis
On the European Playstation blog that morning, Nick Caplin (the head of communications at SCEE) said, “there’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised.” He continues by saying, “it was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach.”
The blog posted this list of the personal information that Sony believes might have been obtained:
- Name
- Shipping address
- Billing address
- Country
- E-mail address
- Birthdate
- PSN/Qriocity ID
- PSN/Qriocity password
- PSN/Qriocity security question and answer
- Purchase history
Sony admits that the credit card information that they store, which is used to make various purchases on the Playstation Network may have also been stolen; but there is no evidence that this might have happened
Nick Caplin also stated, “If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.”
User responses have been dynamic to say the least but it has resulted from the time the breach took place to the time it took Sony to inform its users that their personal information has been compromised. Between the date of the breach (Wednesday 20th April) and then informing the public of the extent of the breach (Tuesday April 26th) Sony issued 3 brief statements asking its users to be patient while it investigated an “external intrusion”
BBC – Playstation Legal Action
April 26th – US Senator Blumenthal questions Sony
As a result of Sony’s almost 6 day delay before informing its users that their personal information along with their credit card credentials was obtained by an unauthorized user (hacker), the Connecticut Senator Richard Blumenthal is demanding answers.
He has sent a letter to SCEA President and CEO Jack Tretton regarding the breach and their untimely response to it; in it he states:
“I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.”
View Senator Blumenthal’s full letter
Did you know that there is a rumor that your credit card information is sent insecurely from your PS3 to PSN?
April 27th – Sony launches a Q&A section
In the Q&A Sony states that some of their services will be back online within a week.
April 27th- Valve says the breach has nothing to do with Steam
All of the events that have previously taken place have done so conveniently with the launch of Portal 2 and cross-platform integration with Steam. Suspicious indeed, and so; G4 contacted Valve’s Doug Lombardi who is the vice-president of marketing and he said plainly:
“No. Steam has nothing to do with the PSN outage.”
Read G4’s full article from contacting Steam
April 27th – New firmware will accompany PSN online
Once PSN is restored, the new update will require the user to change their password. The SCEA PR director Patrick Seybold also states that the company will be “moving our network infrastructure and data center to a new, more secure location, which is already underway.”
It is also advised that users change their passwords as one password can link to other services under the same email address. Hackers can then use the old password to gain access to other services that the user might have
It’s possible that the events that have taken place is a result of Sony’s actions towards trying to control public jailbreak information and also their attempts to silence hackers e.g Geo Hot.
April 28th- PSN Class Action Lawsuit filed
Remember US Senator Blumenthal on April 26th? Yea well he’s pissed off and how does he plan to get happy again you ask? Well he wants to make the 77 million people who use PSN happy by filing a Class Action Lawsuit against Sony via the Rothken law firm.
The lawsuit directly accuses Sony of “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information.” The lawsuit also outlines that they failed to properly encrypt data and maintain a proper firewall, and also that it prevented the public from making informed decisions as to “whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions.”
The law firm also added that the security breach is the “largest compromise of Internet security and the greatest potential for credit card fraud to ever occur in United States history.”
You can view the complaint here
April 28th – Sony Online Entertainment customer data is safe
Sony’s digital services are made up of multiple parts and although PSN and Qriocity were subjected to hacking, SOE wasn’t.
SOE posted on their blog saying, “We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons.”
April 28th – Geohot responds to PSN breach
Geohot has responded to the PSN security breach via his blog and in it states that he is not responsible for anything that took place. He also says, ” let’s not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”
I will also note that he does not support the hacker for taking private information as he himself has been victim to identity theft.
April 29th – Your credit card information might be on sale
MSNBC has reported that a database of 2.2 million credit card numbers taken during the PSN outage are being offered for sale. The “cybercriminals” have outlined the following as the tables within the database: first name, last name, address, zip code, country, phone number, e-mail address, e-mail address password, date of birth, credit card number, credit card security code, and the credit card expiration date.
Though this information is being offered Sony has not answered the hackers or tried to buy the data back; in fact – Sony already said that they never had access to the security code located at the backof the credit cards.
May 1st – Some PSN services return within a week | Full within a month
This morning, Sony held a press conference to detail the Playstation Network outage along with outlining details for restoring its services and compensation.
They discussed security measures and also some of the services they would hope to restore including:
- Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems
- This includes titles requiring online verification and downloaded games
- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
- Access to account management and password reset
- Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
- PlayStation Home
- Friends List
- Chat Functionality
There would also be a “Welcome Back” program that would include:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
- Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
So far the bottom line is:
– The Playstation Network is down, May 1st 2011.
– Compensation:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
- Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
– Sony DOES NOT know if credit card information has been stolen.
– Sony is trying to have some of its services online within a week and full services within a month
COMMENTS