You’ve been trying every day for more than a week now to log onto PSN. Portal 2 just released and you’re excited to take advantage of the cross-platform functionality of Valve’s STEAM service and play some co-op with your buddies—however, you may be waiting longer. Here is a detailed timeline of what has happened so far on the Playstation Network security breach of 2011.
The PSN and Qriocity network goes offline. Sony issues a statement that’s short and sweet, stating:
“We’re aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information.
Thank you for your patience.”
The company then states that it is still investigating the cause of the outage, and that it will be a “full day or two” before everything is back to normal. Sony Europe’s Playstation Blog suggests the networks have been attacked, but later remove the post. According to several media outlets, it had stated:
“Our support teams are investigating the cause of the problem, including the possibility of targeted behaviour by an outside party.”
This is the first sign that the outage is more than just scheduled maintenance or failure, but rather could be a security issue.
The previous day’s suspicion of an outside attack becomes truth when Sony reveals the cause of the problems.
“An external intrusion on our system has affected our Playstation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off Playstation Network and Qriocity services.“
This came from their official statement. At this moment in time, we have no time or the slightest idea when the services will be online again.
Another 24 hours of no service, Sony again updates their customers, saying that they are now completely rebuilding their network infrastructure. They deem it time-consuming, but necessary to provide the system with additional security.
An official spokesman for Sony in Tokyo says that a thorough investigation is underway. Sony has not discovered yet if customers’ personal information has been compromised, but, at the same time, states that if that was the case, they would let them know as soon as possible. It’s also claimed that the computer security experts called in have concluded that a breach of data had occurred when the network was hacked. They did not, however, announce this information until the following day.
Sony releases their lengthiest and most detailed statement to date. Included in the paper is the confirmation that personal information has been stolen. This includes names, addresses, birth data, e-mail addresses, and other info. They don’t specifically say that banking information is compromised, but “we cannot rule out the possibility.” They urge customers to watch their accounts for any suspicious activity. We finally get a release window of “within the week” for when both the Playstation Network and Qriocity will be back online.
Shares of the company fall 2 percent. Also, a class action lawsuit is filed against Sony for their data breach. Details over at cnet about the case. Finally, a detailed Q&A is released, shedding some light on the state of the security of banking information. Sony claims that the data was stored encrypted, however, “We have no evidence that credit card data was taken.”
Piling upon the previous 2 percent, Sony shares drop another 4.5 percent. Also, George Hotz, who was involved with the company earlier for posting code that could be used to circumvent system design and “jailbreak” a Playstation, says that the attack on the PSN was due to Sony’s “War on Hackers.” He continues, saying, “They (Sony) whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts.” This is also the first mention of a form of compensation to their ever-so-patient customers.
Based on posts and chat logs, it’s conclusive that the hackers responsible for the attack have credit card numbers and are trying to sell them off. Other details include an attempt by the hackers to sell the information back to the company. Their offer is refused by Sony, who claim that the information was safe no matter what.
Sony continues to receive criticism—this time with a letter from the United States House of Representatives Subcommittee on Commerce (what a mouthful, eh?). Addressed to Kaz Hirai, deputy president, it asks questions about the nature of the breach, and Sony’s response to their customers. It’s also released that Hirai will be addressing the media publically about the breach and outage at 2 P.M Tokyo time, or 1 A.M. EDT.
Kaz Hirai addresses the public at an official Sony press conference to address concerns about the breach, and also announce more details. The official press release outlines that not only will PSN and Qriocity services will be available by the end of the week, but also newly-implemented security measures. From the release:
The new security measures implemented include, but are not limited to, the following:
- Added automated software monitoring and configuration management to help defend against new attacks
- Enhanced levels of data protection and encryption
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
- Implementation of additional firewalls
Also, Sony will be launching a “Welcome Back Appreciation” program as a token of their appreciation for their customers’ patience:
Central components of the “Welcome Back” program will include:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
- Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
However, this isn’t limited to the list, but will expand over the following weeks as the service returns to normal operation.
The official U.S Playstation blog updates again, and offers more details and crucial clarification. The previous news of whether Sony offered to buy back the credit card numbers is quickly debunked:
“One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge, there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.”
The post also addresses the assumption that passwords and customer data were not encyprted and were easily accessible to those in possession of said data:
“One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures, which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.”
The post then wraps up with assurances that Sony will not contact customers directly for any information.
But recent developments show that it in’t only the PSN and Qriocity that have been hit by hackers. Coming from a subscription-based news outlet, it seems that the Sony Online Entertainment has been breached, supposedly with a release of 12,700 credit card numbers and other info as well. It’s rumoured that the stolen data was dated 2007, and could have been a previous backup of a system.
Responding to the letter that was sent earlier to them by the US House of Representatives’ Subcommittee on Commerce, Manufacturing, and Trade, Sony replied with an open letter outlining their principles for dealing with the outage, and breaches. The letter can be viewed in its entirety on flickr. Details include:
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
- Act with care and caution.
- Provide relevant information to the public when it has been verified.
- Take responsibility for our obligations to our customers.
- Work with law enforcement authorities.
It also states that they had discovered a file on one of the SOE servers entitled “Anonymous” and “We are Legion.” However, they have still to identify those responsible for the attack.
Finally, the Welcome Back program is further detailed. Sony will be offering free downloads, Playstation Plus memberships, and Qriocity to those subscribers. It will be 30 days, plus the length of the outage. (via Joystiq)
The Playstation Network outage and hack is surely going to be one of the biggest stories of the year in gaming. This isn’t good publicity for a service that considers its ridiculously low price an advantage. Many loyal fans are already contemplating switching to other consoles such as Xbox Live or Steam (which have been quoted as saying their services are working smoothly). Fans are even suggesting that mandatory payment be part of the PSN subscriber system, saying that “the revenue would create a better online experience than the one that they aren’t using as of now.” What was planning to be a major year for the company began with a rocky start. The fact that the intrusion went farther than expected indicates that this is a very serious issue of security, and could lead many to re-examine who they trust with their information in exchange for entertainment.
Do you think the program compensates for the hassle? Can Sony bounce back to their previous reputation? Or is the image of their online service forever stained? Leave us a comment below!
Sources: The Official Playstation U.S blog, Cnet.com, engadget.com, g4tv.com, Joystiq