psn-outage-2011
Latest
Sony Online Entertainment explains backtracking on safety of user data
When Sony Online Entertainment announced last night that it had lost several thousand customers' credit card numbers -- though the theft came weeks earlier, during the main attack affecting Sony's PlayStation Network and Qriocity services -- something didn't add up. Sony Online Entertainment had just one week earlier specifically said that its customers data was safe, because "SOE's systems and databases are separate from PSN's." So, how did SOE customer information leak if the "systems and databases" were different for PSN and SOE? "While the two systems are distinct and operated separately, given that they are both under the Sony umbrella, there is some degree of architecture that overlaps," an SOE rep told Joystiq this afternoon. Speaking to the method used for breaching the information, the rep told us, "The intrusions were similar in nature," indicating that the same party perpetrated both thefts. SOE also insisted once more that "This is NOT a second attack," and that yesterday's announcement was a result of "new information" that was discovered on May 1 "as part of our ongoing investigation of the external intrusion in April." It is still unknown when service will return to SOE's games, but the company says "it will be as soon as we are 100% confident that we can resume a safe and secure service."
Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update 2]
Following up on this morning's news that Sony Online Entertainment servers were offline across the board, SOE announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached. The company took SOE servers offline after learning of the attack last evening, and today detailed the unfortunate results: "approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain" were lost, apparently from "an outdated database from 2007." Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder come from the aforementioned four European countries. Furthermore, Sony ties today's announcement directly to the recent attacks on PlayStation Network and Qriocity, and says SOE customer information was stolen on either April 16 or April 17. Sony has repeatedly stated that its PSN servers and SOE servers are not part of the same network, so it remains unclear just how these two attacks are tied together. Head past the break for the full statement from Sony. Update, 9:03PM EST: SOE has provided us with the following statement, in which it confirms that its user data was stolen as part of the original intrusion -- not a second attack. "While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April." Update, 3:45PM EST on 5/3/11: SOE has told GamesIndustry.biz that, of the 12,700 stolen cards, just 900 were still active.
Sony: 'No truth' to story of credit card information sale
During the marathon late-night press conference this weekend, Sony cleared up plans for the reactivation of PSN and the nature of the attack that led to its being taken down. What it didn't clear up was the status of users' credit cards. Responding to rumors that credit card numbers were offered for sale on forums -- and even presented to Sony in an attempt to get the company to buy it back -- SCEA PR director Patrick Seybold said that "to my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list." It's not quite a categorical denial of credit card information being leaked -- but at least it's confirmation that nobody's trying to extort Sony with it. Seybold reiterated what Kaz Hirai said Sunday morning: that nobody from Sony will contact you seeking any ID. Should someone do so, they are up to something nefarious.
SOE suspends services after discovering 'an issue'
Uh-oh. While Sony Online Entertainment had assured its customers last week that, "to the best of our knowledge, no customer personal information got out to any unauthorized person or persons" during last month's breach into Sony's systems, the MMO division today suspended its games and services, including its websites and Facebook titles. "We have had to take the SOE service down temporarily," the group said in a brief statement this morning. "In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately." SOE added that it would provide an update later today. In the meantime, the notification page suggests you download and play some (offline) casual games to distract you from that horrible feeling in the pit of your stomach. Update: SOE has announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached. Check out our follow-up post for more information.
Sony's PSN regional breakdown, by the numbers
Wondering how at risk your country is percentage-wise for theft identity due to PlayStation Network's recent breach? This handy charted tweeted by 8-4's Mark MacDonald should help break down just that for you!
Some PSN services to return this week, full services 'within this month'
Sony's US PlayStation blog tonight announced that "some PlayStation Network and Qriocity services" will become available this week as the company scrambles to build a new server home in the wake of a security breach earlier this month. Though no specific time or date is named, the post lays out a plan to "begin a phased restoration by region" of services "shortly," alongside a mandatory system update for all consoles forcing a change in password, before the full return of services "within this month." With the return of services will also come a new position at Sony Corporation: chief information security officer, a position that will report to current chief information officer Shinji Hasejima. Additionally, the company says it is expediting an "already planned move" of its data center -- a data center the post claims to have been "under construction and development for several months," despite the attacks having only occurred within the past few weeks. Sony also detailed its "Welcome Back" appreciation program a bit more thoroughly, though it still remains unclear what content the company will be offering in various regions as an apology. The list of known services returning to PSN this week are listed after the break.
PSN 'welcome back program' includes a free download, 30 days free PlayStation Plus, Qriocity
Notes handed out before a Sony press conference today (timed so conveniently at 1am EDT in the US, and noon on the Sunday of Golden Week in Japan) reveal that Sony plans to offer free downloads of unidentified "content," 30 days of free PlayStation Plus access to new and existing members, and 30 days of free Qriocity service. The paper also says that PSN service will be restored "soon." Two days ago, a PlayStation Blog Q&A post mentioned that the company was considering a "goodwill gesture" to PSN users (and sure, why not Qriocity users too) put out by the two-week outage. The company will likely have to provide much more dramatic gestures to appease all the government organizations who have taken interest in the case (and, you know, that enormous data leak). Follow along after the break for pseudo-liveblog coverage of the presentation by Kaz Hirai and other executives.
Congress sends inquiry to Sony about PSN security breach
The list of organizations Sony's going to be answering to about the PlayStation Network security breach is growing with alarming speed. The latest addition to the horde is the United States House of Representatives Subcommittee on Commerce, Manufacturing, and Trade, which sent a letter to executive deputy president Kazuo Hirai yesterday with a number of inquiries about the nature of the breach, as well as the company's response to its consumers' collective exposure. The letter, which was penned by subcommittee chair and California representative Mary Bono Mack, imposes questions including why the company is unsure whether users' credit card info was taken, as well as what steps Sony's taking to prevent future breaches. We're assuming that the question of "When's the PSN coming back online, because some of us are trying to get some Portal 2 co-op Trophies over here," was omitted, as it was found to not be "governmenty" enough.
Hirai to address PSN security breach at 1 a.m. EDT
Though we've been getting frequent updates from PlayStation Blog on the state of the recently intruded-upon PlayStation Network, one of the massive corporation's higher-ups is now planning to step forward to field some of our questions. According to Reuters, Sony Corp executive deputy president Kazuo Hirai is scheduled to address the media about the PSN outage and security breach in Tokyo tomorrow at 2 p.m. (1 a.m. EDT). The predicament must be weighing heavy upon Hirai, who was promoted last month to a position meant to groom him for possibly inheriting the CEO seat from Howard Stringer. Then again, this might be the perfect opportunity for Hirai to set himself apart from the other contenders: If he singlehandedly manages to fix these problems using the ol' Hirai charms, he's a lock for the job.
Gamasutra examines a PlayStation brand in crisis
Hard as it may be to recall, at the turn of the century, "PlayStation" had replaced "Nintendo" as the colloquialism for "video game," and the PS2 was beginning its unprecedented run of 150 million units shipped. The brand was nothing short of "awe-inspiring," as Gamasutra business editor Colin Campbell recounts in a recent editorial. But a decade later, "the PlayStation brand is in gentle decline," observes Campbell. "And the events of the past week could accelerate that decline into something more serious." In his thorough assessment of Sony's "predictably pitiful" response to the current crisis, Campbell poses a most distressing possibility. Imagine if, in a year's time, we were to look back and reflect: "'It just kinda went away, didn't it? Sony entirely laid the blame on the hackers, launched a lot of legal flak, refused to take any responsibility, offered the minimum clarity and token recompense. But no-one cares any more. At least they've encrypted my personal data now.'" Could we really settle for that? While Campbell lays out an otherwise convincing ideal game plan for Sony to follow -- where is KB on this one, really? -- he's also suggesting that, aside from unavoidable short-term costs, the crisis could blow over for the company. It would seem, then, that in order to prevent such a sorry (non) response from Sony, video game media and consumers alike will have to act and not just react. Now that we've changed our passwords and checked our credit reports, what next? Do we just sit back and hope a freebie is coming our way? Is that how little it takes for us to forgive and forget? Or can we continue to push Sony for a respectful response -- and, if that fails, take our business elsewhere? The video game community at large doesn't have to clean up Sony's mess, but we owe it to ourselves and each other to ensure Sony does the job right. Otherwise, we risk continuing to be treated as uninvolved, adolescent basement-dwellers. The hackers among us shouldn't be the only ones to teach Sony a lesson.
Homeland Security, FBI looking into PSN breach
The situation surrounding the PSN outage and data breach just got real. How real? The US government is now involved. The "Computer Emergency Readiness Team, "under the Department of Homeland Security, " is working with law enforcement, international partners and Sony to assess the situation," DHS spokesperson Chris Ortman told NextGov. Did you know we had a Computer Emergency Readiness Team? That team's role is to work with affected companies to improve security and restore service, and share information with other security-related organizations to prevent future breaches. Another federal agency is also looking into it, with a more punitive mindset. "The FBI is aware of the reports concerning the alleged intrusion into the Sony on line game server and we have been in contact with Sony concerning this matter," FBI Special Agent Darrell Foxworth told Kotaku. "We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity."
Sony evaluating possible goodwill gesture for PSN outage and breach
There's been a lot for PSN users to be concerned about regarding the service's outage and recent, user-exposing security breach -- but one element that's gone unaddressed by Sony is, hey, what's in it for us? In a new, late night edition of PlayStation Blog's Q&A, Sony responds to our outcries for compensation, saying, "We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online." The FAQ post also confirms that any Trophies earned during the downtime will be synced without a hitch once the network comes back online, and that Friends lists and PlayStation Plus saves haven't been lost. Which is great, because that is definitely what we were worried about. Definitely not the fact that we're all in imminent danger of getting totally Talented Mr. Ripley'd.
Geohot: War on hackers, lack of security experts caused PSN debacle
With all the recent hubbub concerning the PSN outage and security breach, the plight of legally beleaguered PS3 jailbreaker George "Geohot" Hotz may have slipped from your periphery. However, the notorious hacker recently posted in his personal blog about the incident, explaining he had nothing to do with the attacks on Sony's user info database. "I'm not crazy," Hotz said, "and would prefer to not have the FBI knocking on my door." Hotz added that the gaming community might be misplacing some of its anger over the intrusion, saying, "Let's not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit." He added, "The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts." A good point -- though, now, we think they're probably going to need all the lawyers they can get.
PSA: PlayStation Blog comment system tied to PSN accounts, also down
The PSN outage has caused another (online) casualty: the PlayStation Blog's comment system. Commenters are required to sign in using their PlayStation Network accounts, which, of course, are inaccessible. Only those who signed in before the PSN went down are able to comment. The European PS Blog warns that the cookies on comment account logins expire after a week, which means that even those lucky enough to have signed in just before PSN went kaput will lose their online voices soon. The site lists Twitter accounts for each country, and directs users to leave feedback there. Though, if we were Sony, we would have a hard time looking at that feedback.
Sony Online Entertainment says its customer data is safe
Though the PlayStation Network and Qriocity side of Sony's digital services may have been subject to a massive breach of user information, it seems that Sony Online Entertainment product users are safe. SOE reps took to Sony's forums to clear the air, saying, "We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons." The post also acknowledges a "continuing investigation" currently taking place at SOE, and notes that the company will "promptly notify" customers of any change in the situation. SOE's games -- including Free Realms and DC Universe Online -- temporarily went offline on April 21 and have since had service restored. An SOE rep states that "SOE's systems and databases are separate from PSN's," thus explaining how the company's games are still working -- and how your information wasn't stolen. Meanwhile, as reported by our sister site Massively, SOE is working on a "make good plan" for Free Realms and DCUO players on the PlayStation 3, as well as holding a handful of in-game events across multiple games in the coming weeks.
Sony: New PS3 firmware to accompany PSN relaunch, network being physically rebuilt
Sony has posted an updated PSN outage FAQ on the PlayStation Blog, and while some information it contains seems to reiterate things we already know -- "some services" will return within a week, you should monitor your credit card(s) -- new details have been brought to light. First off, Sony is "working on a new system software update that will require all users to change their password once PlayStation Network is restored." It's also been confirmed that PSN is being physically rebuilt as a result of last week's intrusion. SCEA PR director Patrick Seybold states in the FAQ that the company is "moving our network infrastructure and data center to a new, more secure location, which is already underway." Also revealed: While "the entire credit card table was encrypted" and there remains "no evidence that credit card data was taken," PSN's personal data table "was not encrypted, but was, of course, behind a very sophisticated security system." Not sophisticated enough, apparently.
Rumor: Sony distributing new security-enhancing SDK to PS3 devs
Sony is reportedly making the most of the PlayStation Network's hacker-triggered downtime by providing developers with new security tools to integrate into their games. Gamasutra cites development sources who say that they are being asked to begin using a new version of the PS3 SDK prior to PSN going back online, something that's supposed to happen within the next seven days. Joystiq has reached out to its own development sources in an attempt to confirm this report. If you're a developer with insight into the steps Sony is taking to secure PSN against future security breaches, we'd love to hear from you at tips@joystiq.com.
Class action lawsuit filed against Sony for security breach
As expected, the first federal class action lawsuit addressing the recent PSN security breach has been drawn up and submitted to the Northern District Court of California. The complaint, which was filed by the Rothken Law Firm representing 36-year-old Alabama resident Kristopher Johns (as well as every other affected PSN user), accuses Sony of "failure to maintain adequate computer data security of consumer personal data and financial data," and of failing to take "reasonable care to protect, encrypt, and secure the private and sensitive data of its users." The suit also accuses the company of waiting too long to inform users about the breach, preventing them from making "an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions." The suit is seeking compensatory damages for the time and costs required to check their credit reports or change their credit or debit card information, as well as compensation for the PSN downtime. According to IGN, Rothken Law Firm co-counsel J.R. Parker said in a statement, "Sony's breach of its customers' trust is staggering." He added, "Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't." A PDF of the court document is embedded after the jump.
Sony may be hit with £500K fine over PSN data loss
The UK's Information Commissioner's Office (ICO), a non-departmental public body, has contacted Sony to determine where PlayStation Network data is stored -- not in an effort to locate the hackers who reportedly grabbed it, but to determine whether any of it is being stored in the UK. If PSN user data is stored in the UK, then it is subject to the Data Protection Act, which requires companies that hold personal data to provide adequate security for it. Notably, the law would trump Sony's PSN Terms and Conditions, which includes the line: "We exclude all liability for loss of data or unauthorised access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network." "If we found a breach," an ICO rep told Edge, "one of the actions we could take would be to issue an undertaking, which is an agreement between the ICO and the company that if they are handling personal information they have to bring about set improvements in order for them to be compliant with the act." If the company fails to comply, the rep added, "further action would be taken, and we might consider an enforcement notice or issue a monetary penalty." For a serious breach, the fine can reach £500,000 (more than $800,000). Admittedly, that wouldn't be a huge payout for Sony, but considering the other costs of the security breach and PSN outage the company stands to incur, it would probably sting a little.
PSN Breach: What it means for you, and for Sony
It's been nearly one week since the PlayStation Network servers were taken down due to an "external intrusion," and nearly one day since we learned PSN users' personal information was stolen during said intrusion. We're still not quite sure of the full scope of the security breach, but the latest update from Sony paints a fairly upsetting picture: Gamers' personal (and, possibly, financial) data has been exposed on a scale more massive than the gaming industry has ever seen. To help get a grasp on the situation, we spoke with consumer advocates and tech industry figures about what gamers can expect in the aftermath of this security breach. For instance: What financial or legal repercussions might Sony be facing in the coming months? And what can PSN users do to protect themselves from potential identity theft?
