Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
October 24, 2014
arrowPress Releases
October 24, 2014
PR Newswire
View All

If you enjoy reading this site, you might also want to check out these UBM Tech sites:

Sony Press Conference Discusses PSN Intrusion, Next Steps
Sony Press Conference Discusses PSN Intrusion, Next Steps
May 1, 2011 | By Simon Carless

During a press conference in Japan held on Sunday regarding PlayStation Network and listened in on by Gamasutra, Sony's Kaz Hirai and colleagues gave much additional information on the PSN and Qriocity intrusion and shutdown, revealing the FBI has been brought in to investigate a "highly sophisticated attack".

Starting the conference, SCEI head Kazuo Hirai stated: "We would like to extend our apologies [to PlayStation Network and Qriocity users]... because we potentially compromised their customer data. We offer our sincerest apologies."

A trio of Sony executives then explained the timeline for the issues that have brought the PlayStation Network down for more than a week and a half.

The compromised server was located at AT&T's service center in San Diego, California, and run by Sony's SNEI division. Sony discovered an intrusion between April 17th and 19th, and they turned off the service on April 20th. On the same day they engaged a computer security firm to examine the issues.

It was discovered that this was a "highly sophisticated attack by a skilled intruder," who "took steps to cover his tracks". Sony then brought in two extra security firms, the second of which was hired on April 24th.

Because they "could not rule out the possibility" that information had been taken, they told customers on April 26th that their names, passwords and credit card numbers had potentially been copied, notifying the owners of 10 million accounts. The total number of accounts is 78 million, but many of them are duplicates.

While Sony again confirmed that they have no confirmed instances of stolen credit cards from the data, and that the three-digit CVV number was definitely not compromised, the company has asked the FBI for a criminal investigation, and will update "when we have something to share."

So what's next for the company in recovering? Firstly, Sony is moving the data center from San Diego to a new undisclosed location, and is also increasing security "to help defend against new attacks."

In addition, the PlayStation 3 console will have an imminent system software update which will require users to change their PlayStation Network passwords. This can only be changed on the same PS3 that the account was created on, or via a validated email.

Although no credit cards have been proven as misused after the intrusion, Sony says that "we will consider covering the cost of reissues of new credit cards to affected customers if they wish to do so."

In addition, the company will help users to enroll in theft prevention schemes, and the company will also roll out free 'welcome back' packages with selected free content on PlayStation Network. This will include a 30 day membership in PlayStation Plus for all PSN users, and existing PS+ subscribers will get 30 days extra onto their membership.

As for the timeline for rolling the service back online, "within a week" the company will "incrementally restart the services." This will start with "restoration of online gameplay across PS3 and PSP" and PlayStation Network movie playback as well as PlayStation Home, with the next week. The remainder of the services, including PlayStation Store purchasing, will occur sometime within the next month.

Finally, and intriguingly, Hirai commented that "we have also received attacks from Internet group Anonymous," but these may not be related to the other intrusion. The executive noted that the group has publicized personal information about Sony's top management, including family information relating to their children's schools, on the Internet.

He concluded: "These kind of attacks... may not be limited only to Sony," and as a result, the company will co-operate with law enforcement agencies and any other authorities regarding all of these threats to ensure what Hirai called "the safety of a networked society."

In the Q&A, Hirai was asked why Sony did not inform users sooner. Hirai noted that the firm closed PSN to "prevent any spread of the damages" and then hired three companies to analyze the damage, including analyzing "voluminous data". That's why it was necessary for Sony to take action "in a gradual way," according to the executive.

Hirai also noted that stopping the PSN system took "more time than expected," and the data analysis took "more time than we had hoped," but it was because the company wanted to have the full story before coming forward.

[UPDATE: Sony has released an official press release further detailing specifics of the PSN service resumption this week.]

Related Jobs

Activision Publishing
Activision Publishing — Santa Monica, California, United States

Tools Programmer-Central Team
Crystal Dynamics
Crystal Dynamics — Redwood City, California, United States

Senior/Lead VFX Artist
Magic Leap, Inc.
Magic Leap, Inc. — Wellington, New Zealand

Level Designer
Magic Leap, Inc.
Magic Leap, Inc. — Wellington, New Zealand

Lead Game Designer


Ron Dippold
profile image
Well, the "we will consider covering the cost of reissues of new credit cards to affected customers if they wish to do so" would be good... if they would actually do so instead of just 'consider'ing it.

The rest of it is just opportunistic advertising. "A 30 day membership in PlayStation Plus for all PSN users" is what we'd normally call a free trial. Like when there's a class action win against you and you turn it into a 20% off coupon for one of your services.

Moving your data center's physical location doesn't do a damn thing unless the hack was social engineering.

Invoking Anonymous is utterly cheap unless you really think the person who stole all your info is a member of Anonymous, and obviously you don't or you'd be proclaiming that to the skies. This is a purposeful distraction from the lack of actual information you've given here.

Weak, Sony. You didn't tell us a damn thing we didn't already know other than where it physically happened.

Edit: Looking at my comment, it wasn't very constructive (what a dick!). What do I want, constructively? Microsoft wrote off a billion dollars to fix their incompetence with the Red Ring of Death. I want Sony's assurance that they'll make right any losses caused due to their incompetence here. If they're lucky, the crackers made off with no credit card info and it's mostly the cost of the downtime. If not, well, suck it up. But we didn't get anything tonight other than excuses.

Bowie Owens
profile image
Reading the press release I was heartened by several things. The technical improvements are a good start but I think it is a positive thing that Sony have created a new role to be responsible for security. In big corporations it is always easy to pass the blame for problems but when you have clear definitions of responsibility things often get dealt with properly.

Ron Dippold
profile image
Having someone actually in charge of security is a good thing, and constructive.

Actually, now that I've read the press release, it was far more informative and useful than the press conference was.

Thomas Lo
profile image
Why would they tell you anything more? "Hey, we were hacked in this specific manner exploiting this specific secuirty weakness."

Sad pathetic internet troll is sad pathetic internet troll.

Ron Dippold
profile image
Because they have a severe public relations problem. And possibly legal problem, but I'm not sure what they can do about that now.

It really saddens me that even on this site criticizing your chosen side in the console wars is automatically 'trolling'. Shouldn't professionals be able to get above being so stupidly defensive, or is this like academia where the higher you get the more vicious the infighting gets?

JB Vorderkunz
profile image
Insert Sony-hater/pro-hacker scree here: .

Adam Miller
profile image
The real crime? That I can't access my credit score whenever I want, for free, even after I've been the victim of identity theft -- and that even if one pays money it is a bureaucratic nightmare to work with the credit score firms. Given the likelihood of identity theft in this day and age, it's crazy our government has allowed an essential cog in the economy to become a for-profit business.

Jason French
profile image
Damn true. Makes you wonder why people put up with it.

Aaron Eastburn
profile image
Exactly what I was thinking! I followed Sony's advice for checking my credit scores... and blew my one free check for the year.

Now I have to pay to check or monitor my credit score. If Sony want to make it right have them make arrangements with big 3 credit reporting agencies to give us a free one every month for 12 months.

Paopao Saul
profile image
"...notifying the owners of 10 million accounts. The total number of accounts is 78 million, but many of them are duplicates..."

Was Sony boasting about the 78 million user-base a while back? Apologies if I'm wrong on this, but if this is true, this is another PR red flag. I hope that Sony will be more forthcoming after this incident.

Amir Sharar
profile image
When news of this first broke out, I immediately thought of the PSP2 (or NGP, if you prefer) being the product that will be most negatively affected. It has a strong online marketplace component and if consumer confidence in that aspect is shattered, it can greatly affect the unit's appeal when it launches.

With this in mind, it sounds like Sony is taking the right steps in restoring consumer confidence.

At the same time, Sony's actions in the last week (nevermind the security breach itself) has my confidence shaken somewhat. Sony's reasoning for waiting this long before telling us consumers about the issue was that they didn't really know the extent of the breach. But it would have been more responsible of them to let us know immediately that there was a breach and that personal data MAY have been compromised, and that they are working on it. That week it took for them to confirm it could potentially mean a lot of harm done to unknowing consumers during that time.

What we got was a mysterious closure of PSN services, followed by a period of no explanation for days, finally followed by piecemeal statements that shed light on the manner. So while Sony says they will handle security better in the future (and I believe them), the question is will they act more transparently and responsibly in the future?