Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
October 21, 2014
arrowPress Releases
October 21, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


PSN Return Delayed, Sony Removes Exposed Personal Details
PSN Return Delayed, Sony Removes Exposed Personal Details
May 7, 2011 | By Kris Graft

May 7, 2011 | By Kris Graft
Comments
    28 comments
More: Console/PC, Business/Marketing



Sony on Friday said it would have to further delay the return of PlayStation Network following a massive security breach, just as reports stated hackers posted personal details from a Sony database.

According to Reuters report out of Tokyo, Sony was able to remove those published details from a website, although the report didn't say exactly what website hosted the stolen information.

Personal details of some 2,500 people were posted, including names and "some addresses" that were in a 2001 database. The security breach has affected 77 million PSN and Qriocity accounts, and 24.6 million Sony Online Entertainment accounts.

The news of the publishing of the details comes just as Sony confirmed that PSN would not be relaunching some network services as soon as planned. Previously, the company said it hoped to start a relaunch within a week of a PSN press conference that occurred April 30.

And on Thursday, Sony Computer Entertainment America said that it was in the final stages of testing its new security system. But a Sony spokeswoman confirmed with Reuters that relaunching within the original expected time frame would not be possible, and there is no firm date for the return of online services.

The latest note from SCEA senior director of corporate communications Patrick Seybold on Friday night said, "When we held the press conference in Japan last week, based on what we knew, we expected to have the services online within a week."

"We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system," he added. "...Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online."

Sony is also reportedly considering offering a reward for help in catching the perpetrators of the cyber attack, according to Wall Street Journal's All Things Digital blog, which cited "people familiar with the matter."

The reward may or may not be implemented, the report said, as Sony executives are weighing the pros and cons of such a move, which would be made in coordination with law enforcement.

[UPDATE: An update to the Reuters report and a separate report on The Wall Street Journal said the personal information was on a Sony-affiliated website, which the company was unaware was accessible to people outside of Sony.

The information was made public by cyber intruders and was from a 2001 product sweepstakes contest. No credit cards, social security numbers or passwords were revealed. The company took down the website on Thursday.

"The website was out of date and inactive when discovered as part of the continued attacks on Sony," the company said.]


Related Jobs

Zynga
Zynga — Chicago, Illinois, United States
[10.21.14]

Senior Software Engineer (Front End)
Harmonix Music Systems
Harmonix Music Systems — Cambridge, Massachusetts, United States
[10.21.14]

Senior Product Manager
Harmonix Music Systems
Harmonix Music Systems — Cambridge, Massachusetts, United States
[10.21.14]

Web Developer
Cloud Imperium Games
Cloud Imperium Games — Santa Monica, California, United States
[10.21.14]

Marketing Director










Comments


Jonathan Murphy
profile image
Sony should do these three things. 1.) Offer a $1 million reward. 2.) Advertise to the public that when you catch the hackers they are going to jail for life if they don't turn themselves in. 3.) Cancel billing account activity with PSN and SOE! My friends are still getting billed for active accounts when the servers are down! That is ridiculous. Give us access to our accounts! I want to get in immediately and remove my credit card info. Yes I'm aware they idiotically keep credit card records going back to the stone age. I still want to remove the most recent data.

Eric Cartman
profile image
Agreed.



Also, Sony has more than a million dollars to "inspire" people. Up that a few and they'll be in by next week.

Sean Currie
profile image
Yup. Because Sony has the power to decide how much jail time the hackers would get. Yup. Nothing wrong with that. Not at all. Life in prison. For hacking.



Life.



In prison.



For hacking.



That's reasonable to you? You realize that the majority of the compromising data (ie. credit cards) was encrypted correct? And it would be almost impossible for that encryption to actually be broken?



You also realize that outside of being unable to play Portal 2, and the possible temporary loss of revenue for game makers, that PSN being down is largely an inconvenience? And that there are crimes in this world that do warrant life in prison, and none of them amount to anything that can be perpetrated by hacking into a video game network?



I have some advice for you Jonathan, and I truly hope you take it. Until the PSN is up, stop worrying. Go outside. See the world. Read a book. Gain some perspective on life. When it returns, change your passwords. If you want to be really cautious, check with your bank to see if there's been any untoward activity on your card (spoiler alert: they'll say no, because there's only a possibility of people having the encrypted data, not your actual credit card numbers). Be slightly more wary of phishing scams. And most importantly? Be thankful that you live in a comfy, first world bubble and that this minor event can be deemed so apocalyptic that you honestly, truly believe it's worth life in prison.

Joe Cooper
profile image
I'm with Currie. This is by a mile only a big deal for Sony who has sales to worry about. Life in prison is a very serious thing, easy words to throw around but ought to be seen more like an execution. Don't forget what the anti capital punishment folks say; execution can be the "easy way out" compared to life in prison. It is a life ender except you still have to sit and rot for twenty five years.

Kristoph Kellogg
profile image
That's a mixture of good and bad advice, Sean. Go outside, relax, don't worry much until the Sony networks are back online, then change your password? Absolutely. Get your credit cards reissued? Maybe.



Believe that your info is secure because it was encrypted? No WAY! They have the passwords. Many, if not most, have already been decrypted. All but the most devilishly contrived, insanely complex, absurdly long, and completely random passwords can be cracked in under 10 seconds by software that is available to anyone. Most people, almost everyone, in fact, use simple passwords that can be cracked in less than a second. Routines can be set up to crack them one after another while the hacker does whatever they please.



Credit card numbers are easier than most passwords to crack because they only use the digits 0-9 and have a standard format. The good news is that Sony has emphatically stated that they know which credit card numbers were obtained. Those numbers were from Playstation Network subscribers in Western Europe, and were from a 2007 database that did have some currently active credit card numbers in it. I'm sure that card issuers and card holders are being informed as quickly as possible. If you were a subscriber in the affected region during 2007 you might want to take appropriate action, but most people don't have to worry about it at all.



If you want to be secure change your passwords frequently, use temporary credit card numbers and don't give anyone more personal information than they really need. Anywhere your personal info is sitting, if it's accessible through the web it's vulnerable, whether it's Sony, your bank, or even your own computer.



I'm not saying you should be paranoid, I'm saying you should be careful, and don't sacrifice security in favor of convenience. If this event woke you up to that fact, good. Do some research for yourself, there are a lot of security experts out there offering information and advice free to everyone but remember, you are responsible for your own security.



Oh yeah, and life behind bars for hacking? Enforced by a corporation? Holy overreaction Batman! Maybe we should put them to the rack as well? You do need a bit of perspective, Jonathan.



Yes, they're criminals. Yes, 'if' they're caught they should be punished... appropriately... I'm pretty sure this isn't the time or the forum for a discussion of exactly what that punishment should be. We don't know who they are, other than possible associates of the very loosely organized hacker group, Anonymous, the extent of their crimes or even the real damage done. We're not even sure if the same people are responsible for all of the intrusions. Let's not organize the lynch mob just yet...

Brian Buchner
profile image
Took the words right out of my mouth. Life would've been tough for these hackers amongst the *murderers*... I'm pretty sure they would've been the bitch.

Michiel Hendriks
profile image
I don't care about the hackers. My identity is in limbo. Securing the potential stolen identities should be prio #1. Going after the hackers is useless if they already handed over the data. Sure, the hackers might get some jailtime. But that doesn't fix my identity theft issue.

Brian Buchner
profile image
That's a much smaller deal than you think.

Bryan Lapointe
profile image
I agree resolving the identity theft issue is definitely the most important thing but how else would one do that? The only real way to resolve the identity theft issue is to catch the people with the information and find out exactly what they did with it. Otherwise all they know is your info is out there somewhere with no idea who has it or what their intentions are or how far they will run with it unless people are caught your identity will be in limbo forever (at the absolute minimum your name and birth date could potentially be out there forever and those two things make it easy to find out a lot of other information about you).

Eric Parayos
profile image
How about this...Yes this sucks, yes its not what we expect from a multi billion dollar company to slack on security, yet on the OTHER HAND... Sony is too cheap to hire proper techs to help build support, AND SONY ITSELF is under a lawsuit from SELLING personal info, OUR INFO to 3rd parties who try to sell us crap. We dont REALLY NEED video games to live, but yes we love them. I think the hackers should be proud to fight for us while another BILLIONS and BILLIONS of worth corporation takes our money, then sells our names to even worse people...SALESMEN!! ANYBODY REMEMBER ENRON!!!??? Steal from the poor, back to the rich, so it is, so its always been. Who fights for us? Not ourselves

Jared Mackenzie
profile image
Its not a small deal at all. The information they doesn't disappear. Ten years down the road they still have 77 million peoples information. Outdated or not they could use that info to gain more on anyone who's identity was taken. Maybe some of the identities that where stolen will never amount to anything but some of those poeple may have much more to lose. The hackers are terrorists and should be treated like it. Life in prison should be a minimum.

Bryan Lapointe
profile image
It seems some of you have a very narrow and short sited view of identity. To anyone with even average intelligence that information can cause some serious (long term) harm to the innocent people who's only crime was having information on PSN. Its cute to think of the hackers getting one over on Sony but thats only half the story, they also to financially destroy countless people. In the US the last case near this magnitude (40 million people affected) saw the defendant getting 20 years plus 3 years probation which wasn't even the maximum allowed under law, chances are good the person or persons responsible for this will be looking at maximum sentences for whatever applicable charges there are (which may or may not include life sentences for the major players). For those of you who will point out they may not be American might I remind you the FBI and Congress are currently involved so extradition of the suspects is a VERY real possibility. As this is the largest case of identity theft ever committed (world wide) so you can bet they will put some serious effort into catching the people connected with it. I would be pretty surprised if they don't catch the people responsible and nail them to the wall.

Jeffrey Crenshaw
profile image
"Life in prison should be a minimum."



Yeah, a minimum. A maximum, their life and their kids' lives in prison. That'll teach 'em.

Olivier Riedo
profile image
Worth noting there's a bit of a misrepresentation (a mistranslation by Reuters?) of the latest breach: the data of the 2,500 sweepstakes contestants was posted by Sony staff on an employee-use server which, for some reason, had public access enabled. All the "hackers" did was post the address all over the net.

Jonathan Murphy
profile image
They stole data from 100,000,000 accounts. That has to mean something! If that's not a crime, then what is?! It's important that they remind the hackers that the law isn't going to be gentle if they continue. Sony screwed up. 100 million accounts isn't jay walking. Don't go easy on the pyromaniac because the building has already burned to the ground.

Sean Currie
profile image
No one is saying it's not a crime. Data theft is a crime and punishable under federal law in most countries. But committing a crime does not equal an automatic life sentence. For one, the law must consider the amount of damage a crime does and then weigh that against the intent of perpetrators.



For example, if they simply hacked the PSN and did nothing but intrude on the network? Probably a very limited fine (if any) - particularly if it was a first time offense.



If they hacked the PSN and stole account details and credit card details (which seems to be the case) then a larger fine and probably jail time is order.



If they attempt to sell or exploit that data for personal gain? Probably a significant amount of jail time in accordance with most other kinds of fraudulent activity. But a life sentence? Really? You can kill a man and not necessarily get a life sentence.



And 100 million accounts seems like a large number, with the exception of the fact that much of the account data is absolutely worthless (which is probably why Sony didn't bother to encrypt it in the first place). Most of that data is already floating around freely online, and most of it is not considered "private" - that's how companies like Facebook get away with selling it to others in order to make billions.



As for your pyromaniac example. Actually, going easy on him would be precisely what the law would do. If I set fire to an already burned building or a pile of rubble I might be charged with mischief or reckless endangerment. I sure as hell wouldn't be charged with arson.

Adam Bishop
profile image
If you don't think that data is considered to be "private", I'd recommend reading some privacy legislation, because it very definitely is (at least in Canada, I can't say I'm overly familiar with privacy legislation elsewhere, but I would have to guess it's at least somewhat similar).

Sean Currie
profile image
Perhaps "private" wasn't the best choice of words. "Inaccessible" would be a better one.

Jared Mackenzie
profile image
Cyber crimes are a different entity. I agree murderers should get bigger punishment but that has nothing to do with a cyber crime. Do you remember a few years ago. A college kid hacked sarah palins email. He was charge with four crimes including identity theft. The crimes accumulated to 50 years in federal prison. Of course he wasn't sentenced to the full. He ended up getting 1 year and a day in prison. Imagine if he did that to 77 million people? What would happen to him then?

R G
profile image
Idk, I just hope Sony recovers from this. I understand being angry at their recent antics, and I honestly don't blame people for being angry as suggested courses such as "emails, writing, phone calls" don't work, but there is a line...



When your tactics involve hurting gamers or consumers who have nothing to do with the company itself, it's time to look in the mirror.



I agree with Currie's comment though. It's hard to believe that this couldn't have been an inside job, with Anonymous as a scape goat. I know they launch DDoS attacks, but cracking encrypted credit numbers? I don't know.

Sean Currie
profile image
I think the organization of Anonymous is also something that's tripping up a lot of journalists as well. People seem to either hop on to one of two extremes: Anonymous is either entirely incorporeal and nothing can be attributed to them, or everyone is Anonymous and thus anyone taking credit technically IS Anonymous.



Both views seem too simplistic to me. It's true that Anonymous certainly has common members within the hacker community and most of them communicate using the same channels and organize particular protests at the behest of those common members. But, Anonymous is still a loose collective, and nothing can really be said to be "officially sanctioned" by Anonymous until it reaches a certain threshold of support among the larger community. The attacks on Paypal and Mastercard over the Wikileaks issue is a good example. The success of those DDoS attacks required mass participation of willing people under the guise of Anonymous. Given that the attacks were successful, it can be said that it reached that particular threshold necessary to qualify as "officially sanctioned". The hack of the HBGary emails, while perpetrated only by one (or possibly slightly more) people didn't involve the collective, but it was ultimately supported by it. Again, that seems to qualify as reaching the threshold necessary to be called an Anonymous action.



The PSN hack on the other hand doesn't work. The collective (both the common and, for lack of a better term, "higher up" members) have rejected the action. Indeed, they entirely ceased their attacks on Sony prior to this happening. Given that people who collectively campaign under the Anonymous label rejected the attack, the actions of these hackers are theirs and theirs alone. Journalists need to stop referring to this as an Anonymous action. They might have been participants in the original DDoS attacks, but anything beyond that was an action they undertook by themselves.



The best metaphor I've heard for Anonymous is one that describes them as a flock of birds. It's in the moment that a collective action is happening that Anonymous actualizes. There aren't any "sects" or "splinter groups" of Anonymous. If birds break away from the flock, they're not "splinter groups" of the flock. They're just birds.



And these guys are just hackers. The same as any other hackers who act independently. And really, journalists need to start being honest and refer to them as such. I know that a super hacker group is a concept that's just too sexy to ignore, but the fact is that Anonymous is a social and media (and social media) phenomenon. It's not a conspiracy. Not a group. It can't be arrested, or charged, or subpoenaed. And websites like Joystiq, Kotaku and Gamasutra need to stop feeding the conspiracy theory.

John Martins
profile image
Anonymous is supposed to be a collective of people with no set leader, so whoever keeps making those videos needs to get his big, inflated head off that high horse!

R G
profile image
Lol, Anonymous does have leadership. They just don't ASSUME leadership.

R G
profile image
Exactly. Could not have put it better.

Mark dogg
profile image
Having bio data of thousand or million is of no use other than spamming. But Sony should compensate for anyone? whose credit card was misused and proved that it was obtained from PSN not otherwise

[User Banned]
profile image
This user violated Gamasutra’s Comment Guidelines and has been banned.

Amir Sharar
profile image
I don't remember anyone claiming that the hacker(s) stealing CC info is being treated unfairly.

Richard Vaught
profile image
Ok folks, lets spin some perspective on all of this. The vast majority of what they took, was things that could just have easily been taken from the yellow pages, with the exception of email (which could most likely be gotten off Facebook, linkedin, or some other site) and the encrypted credit card database, which, being nearly five years old contains primarily expired card numbers and NOT the additional security code. So, please, please stop acting like they hacked your bank account. If you have personally had your identity stolen from the incident (and by that I mean someone has actually used your data to perpetrate fraud) then stop the madness.



If you don't accept the risk of an online life, then don't live online. Disconnect yourself and go off the grid, pay in cash, disconnect your modem, cell phones, and all of your consoles, etc. Guess, what you will still be vulnerable. Whether you want to believe it or not, all of your information has probably been stolen from so many sources that it isn't even funny, so all this should be seen as is yet another copy of your life exposed to the world.


none
 
Comment: