Sony guesses that hackers got into the network through an "application server," through which they were then able to get into the database servers and grab data.
Hirai estimates about 10 million PSN users with active credit cards tied to PSN. Security measures will include moving to a new physical data center, more firewalls, and a new "Chief Security Officer." And, of course, a PS3 firmware update. Passwords will only be changeable through the same PS3 that the account was started on, or through a verified email address. Hirai asks you to "be vigilant" and check your credit card statements. Good advice!
Sony will not contact you under any circumstances asking for your credit card number or other personal info. So if someone claiming to be Tom Sony asks for your credit card verification code, you're getting scammed!
Sony is "considering" covering the costs of credit card replacement for affected users. The company is instituting a "welcome back" program including free downloads of selected content, 30 days of free PlayStation Plus for new and existing users, and -- for Qriocity members -- 30 days of free services.
Hirai just called out Anonymous as having attacked Sony by releasing personal info about executives and family members. Sony will cooperate with law enforcement and other organizations to secure data and ensure safety. The fact that this note came right after the Anonymous thing suggests that they'll work with law enforcement to track those kids down too.
Nikkei just asked if all 10 million credit cards got out. Hirai said "we can't rule out the possibility" that credit card info was compromised, but Sony hasn't received any reports of illicit card info usage. Another exec on stage said that all Sony knew on April 20 was that there may have been an intrusion.
Hirai just reminded us that it's not really 78 million people whose info got stolen, because some of those 78 million accounts are duplicate accounts for the same person. He refrained from providing details of the investigation, because the case has just started. But he did say that "not to his knowledge" has Sony been working with law enforcement agencies out of the US, but they have brought "inquiries" to Sony.
The vulnerability in the web server was a vulnerability known about that particular type of server, one of the execs on stage said.
Hirai defended the long response time by saying that Sony took the PSN down as soon as something was shown to be wrong, but analysis took time. "Once we became aware of the situation, we moved promptly to warn customers."
A reporter asked what the purpose of the "intrusion" was. Hirai: "For the past month and a half, we've experienced attacks on various Sony systems. We have yet to identify a direct relationship with a group." Speculation about the objective: "We are not in a position to say one way or the other." That same reporter asked if passwords were encrypted. I believe (translation not being perfect) that Hirai said they were not.
If customers wish to cancel their services, Sony will cooperate in good faith.
Sony has to "keep the integrity" of its system to continue to encourage content creators to create products for PlayStation, Hirai says. Protection of customer information has always been part of the plan since the PS2 network. But now Sony has to "review" its system.
Another exec says Anonymous has attacked "repeatedly," but Sony doesn't know who is behind the recent attacks.
A reporter just asked why Sony Japan was slower to disclose the news than SCEA. Backhanded pat on the back, PlayStation Blog US. Hirai said SCEJ is looking into deploying a PS Blog for Japan.
Because the freebie content will be different by region, Sony was hesitant to put a price on it, but Hirai estimated "a few thousand yen" worth of free downloads. So like $20-25 or so?
In response to a question about install base, Hirai said 37 million PS3 systems are connected to PSN, and 16 million PSP units, but the total install base is larger. Sony isn't disclosing the userbase for Qriocity yet.
Why not hold a press conference on April 27, when the announcement was made? That's the question we all want answered ... according to Hirai, Sony wanted to have an estimate about resumption of services before holding a conference.
In response to concerns about future security, Hirai pledged that Sony will "do its best" to ensure secure data. If that helps.
"If there are, in the days ahead, damages suffered by customers, they will be dealt with on a case-to-case basis," Hirai says.
The evening's final question: what is Hirai's view about the relationship of this case to Anonymous? Hirai says there's "no certainty" of a connection. "It's not intended that they were implicated in any way" regarding this intrusion.
And that's the show! Go to sleep.