Playstation Network Breach: It’s Really, Really Bad

By  |  Tuesday, April 26, 2011 at 2:17 pm

Sony’s Playstation Network outage has gone from one of the worst Internet service interruptions ever to one of the worst security failures in consumer electronics history.

If you’re one of the 70 million members of the Playstation Network or Qriocity services, all of your personal and login information is compromised. Everything. That includes your name, address, e-mail address, birthday, user name and password. Your profile data, purchase history and password security answers may be compromised as well.

Sony says there’s no evidence that credit card information was taken, but it “cannot rule out the possibility.” Sony’s encouraging PSN users to keep a close watch on their credit card statements, and has provided information for users who want to set up fraud alerts. You can find those details at the official Playstation Blog.

As for when PSN will be back up, Sony says it has “a clear path” to bring systems back online, and hopes to restore “some services within a week.” However, Sony now has much bigger problems, having let a wealth of personal information, and possibly financial information, fall into the wrong hands.

All users will be getting a notification from Sony via e-mail, advising them to change their passwords for PSN (once it’s back online) and any other service for which the same password is used. Users are also warned to watch out for e-mail, postal and telephone scams.¬†Understatement of the year goes to this sentence in Sony’s letter: “We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.”

 
44 Comments


Read more: , ,

44 Comments For This Post

  1. Sweetwater Says:

    EPIC FAIL

  2. Justin DaFonte Says:

    Never buying another Sony product again. This angers me so much. Sony failed in the PS2 generation for online services and combining this atrocity with the implications they attempted to nail George Hotz for, have clearly rose above the rest and shown that they are no contendor for online services. I hope they go out of business in gaming. They have no place anymore. Why has it taken so long to issue such a statement, one that completely invalidates statements made by Sony reps on the uk.playstation blog saying there was no information compromised?

    Pathetic. Utterly pathetic. I hope every product they ever make is pirated into the ground for such a terrible mistake and terrible demeanor in handling such a serious breach which could have disasterous consequences for it’s userbase. Hopefully signed homebrew and games become a possibility to lead to the demise of this hard arsed company’s ways.

  3. GavinSpaceFace Says:

    Absolutely appalling Fail. Seriously – this is disgraceful. And what can you do about it? Nothing :(

  4. Neil Says:

    If card data has got iout, they would be in breach of PCI DSS regulations.

    TJ Maxx got an absolute arse kicking over a broadbly similar breach several tyears ago – looks like no-one has learned a sodding thing.

  5. Joe Says:

    If cc info didn’t get out is this really that big of a deal. Most of this info (aside from the pw) is available on most people on the net anyway. If you are using the same pw everywhere you get what you deserve.

  6. P r Says:

    My credit card details must have been compromised by psn, I had my bank call me on Monday 2 successful fraudulent online purchases and 1 for £1600 made on Sunday which my bank luckily checked with me before accepting.

  7. Frank Says:

    Until companies and institutions face credible liability there will remain little incentive for them to devote little more than the minimum effort to security.

    Unfortunately the public by and large accepts this as "pay to play" and has become complacent about breaches.

  8. Anthony Says:

    How can this information not be encrypted on the servers, or was it the same key as the ps3.

  9. VaticanAssassin NinjaWarlocks Says:

    GEOHOT, have you been a bad boy?

  10. Bobidy Says:

    Even if they encrypted your password, you can "decode" the encryption using rainbow tables if your password is not too complex. So whether or not it was encrypted is irrelevant if you use a simple password.

  11. dave bacher Says:

    Encryption doesn’t work for addresses, names and phones BC the server has to be able to use them. Security qa sb hashed, or btr still use phone… For credit cards, billing needs to work like PayPal agreements – one authorization agreement and a shared secret at purchase time. But no credit card company supports that. So for recurring billing and credit, they have to store the whole number with reversible encryption and that is harder to defend – and is not taught properly. Stuff like Linq and nhibernate make iteasier to do the wrong way.

    Sony did it wrong, but they had tons of help.!

  12. durban Says:

    Perhaps if they spent less time going after the less than 1% of people who root their systems, and spent more building actual security, they wouldnt be having this problem

  13. Tom Says:

    What do you expect when you mess with hackers? You sued the kids who cracked the PS3 and you angered the modding community, also that group.. I think it was 'an0nymous'? You really think you were safe doing that? It's pure payback – anyone can see.

  14. Alex Says:

    Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
    While you keep putting the gold under glass pane, the thieves will try to break to get at it.

    Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off.

  15. The_Heraclitus Says:

    IF you're using passwords THAT simple, you are subject to Darwin.

  16. NastyNate Says:

    This whole situation has class action suit written all over it.

  17. BET Says:

    The interesting thing is that 70+ million people have accounts on PSN… That's probably more than most banks. Sigh… I would like to think that the group responsible for ensuring the security of those 70+ million accounts is standing on their heads right now worried about 2 things– 1) the inexcusable breach that allowed apparently unrestricted access to the PSN database and 2) where they plan to spend the rest of their natural lives, considering a breach this large might be considered criminal negligence. Even if they were sentenced to a single hour of jail time for each account breached,that's still 7,991 years… :)

  18. BrideOfPinbot Says:

    I'm glad you all have opinions, now let's just hope this gets back up soon and they can make it happen. In a world where others are concerned over their life about taking a bus to work, I think we can consider ourselves fools for making such a stink about something that is obviously a flaw in our society to be so reliant on technology to begin with. It's fun, so I'm just keeping my fingers crossed I can play some SF4 and watch my Hulu sooner rather than later.

  19. BET Says:

    It is important to remember that if a company elects to store consumer credit card information, they assume the burden of protecting that information–just as they would their own. When a company fails to do that, they then become responsible for the financial liability of EACH account compromised.

    While Sony is publicly suggesting that it is not likely that credit card information was compromised, the fact that they are not ruling it out is VERY significant. It implies that they cannot say, beyond a shadow of a doubt, that the CC information remains uncompromised.

    From an IT perspective, this would suggest that the security measures which should have been in place to isolate sensitive financial information from general user information were either NOT there, or were also compromised.

    A breach of this nature is almost certainly systemic and quite likely extends even into their corporate databases–a fact which may never reach public ears.

  20. BET Says:

    Collecting sensitive personal and financial information is certainly NOT against the law–especially when it is freely provided by the owners of that information. The problem occurs when 1) the information is collected without the owner's direct knowledge and permission, and 2) when the company collecting said information does not disclose a) it's intended usage of the information and b) when said information has been compromised.

    In this case, it seems as if Sony "did the right thing" by notifying the public of the breach and compromised data. In my not so humble opinion, the problem lies in the apparently lax security protocols that allowed the breach in the first place. A company like Sony, should have sufficient financial resources to implement top-notch, best-of-breed security practices and policies.

  21. BET Says:

    @Mat:

    You make a good point, and I'm 100% certain that Sony will make every effort to do just that–send the guilty hackers to prison. However, as I stated earlier, when a company collects sensitive personal and financial data, it assumes the responsibility for ensuring the protection of that information. So, if a single individual, or even a group of individuals, can successfully, breach Sony's security–don't you think the company has some explaining to do?

  22. PCashMan Says:

    Being an IT professional with over 20 years experience I feel that I can speak knowledgeably to this issue. Additionally, I have been married to an attorney for 15+ years and have discussed this matter ad nauseum with my wife.

    Sony assumes no criminal liability in this breach. Sony has entered into contracts with the 70+ million subscribers and as such is limited to civil liabilities in this matter as set forth in said contracts. Consequently, Sony is only responsible for meeting the conditions of the contract as agreed to by each subscriber plus any negligence on thier part as a fudciary party in securing thier subscribers sensitive and financial information.

    Sony has committed NO CRIME!

    Part 1:

  23. PCashMan Says:

    Now, as for the technical aspect of this incident. If Sony was negligent in the manner in which the information was stored there may be a case for breach of an implied, or possibly stated – I am not a subscriber and have not seen nor read the contract for service, fudciary responsibility in securing subscribers sensitive information.

    Sony is a large and experienced company and is, OR SHOULD BE, aware of most if not all common hack and exploits that exist in todays network / software / hardware environments. Knowing this, they should have implemented all avilable resources and technologies in an effort to prevent exposure of subscribers sensitive information.

    Part 2:

  24. PCashMan Says:

    Addendum:

    The last sentence in paragraph 2 of Part: 2 should read:

    "Knowing this, they should have implemented all available resources technologies in an effort to prevent exposure of subscribers sensitive information."

    The last sentence in paragraph 3 of Part: 3 should read:

    "And NO, I am in no way affiliated with, work for or know anyone who is in any way associated with Sony!"

  25. Mat Says:

    I agree completely, but getting services back online should be a priority. Once they have a new security system in place they can give exact details about what they had in place. Either Sony will be far in the wrong use outdated/useless security protocols, or the hackers have found something new or are very good at what they do, and Sony had security much like many others out there. Either way I'm sure heads will roll inside Sony, if I was head of security I'd be handing in my resignation even if it's the latter case above.

  26. Tom B Says:

    I'd hold off on the dancing. I'd wage Sony does a better job with secure than MSFT– they probably have the XBox network on Windows servers!

  27. BlueCollarCritic Says:

    "Hacking a personal ps3 is in no way similar to hacking a multilayered, secured network. The legal and monetary ramifications are in different leagues all together. ~ Onlooker"

    You're right it’s not. Hacking a PS3 is legal and still SONY put its full force behind pummeling the kid so as to send a message to all who would dare to think they own what they bought. While the hack of the PSN network is illegal and I have no doubt SONY will do its most to find the perp(s). The question is will they do equally as much to make right with the users??? Doubt it.

    Like most corporations they will do as little as the law allows them to get away with and then less so long as the right peoples payoffs are up to date.

  28. BET Says:

    You make some interesting points, but I think your statement "Sony has committed NO CRIME!" may be a bit premature as it is far too early to determine if Sony has committed any crimes. That's not to imply guilt w/o due process–simply stating that it's too early in the game to call. However, your posts echoed my previous posts on several points, such as Sony's obligation to publicly disclose the breach, and the fact that a company of Sony's stature *SHOULD* have had top-notch data security measures in place. If Sony did not have adequate security measures, or if they were were not properly implemented, I think Sony might still have to consider criminal charges of some kind. Either way, the company has some explaining to do.

    more…

  29. Jorge Says:

    No problem if well salted by Sony…

  30. Imotep Says:

    LOL… "I'd wage Sony does a better job with secure than MSFT?" Hello MacFly!! They weren't the ones hacked *facepalm*

  31. EdK Says:

    There's a very real possibility that anonymous did not do this. They've denied it, and that's not like a hacker group.
    Additionally, this seems to open the door for the government to implement anti-privacy regulations to prohibit 'cyber terrorism' and 'protect' us on the Internet.

    Sounds crazy maybe, but this is just the kind of bad PR the government needs to start pushing through regulations that limit our freedoms on the Internet.

  32. DanaTA Says:

    PCashMan, Sony is actually criminally liable, for any person's information that was compromised who lives in Massachusetts. They passed a law last year…for any personally identifiable information that is compromised they are liable to a fine of $1Million per record. How many users do you think they have that live in Massachusetts? And personally identifiable information has been defined, in that law, as even the user's email address!

    There are probably hundreds of thousands of users in Boston alone! Last I read, other states were considering similar legislation.

    The company that lost the data does not have to be in Massachusetts, only the users whose data was lost.

  33. minardi Says:

    Makes you think on the validity of cloud computing with your data in someone else server farm.

  34. John Says:

    Get an xBox. Everything is done with MS point purchased from retailers so you don't have to give any financial info.

  35. Joe Says:

    The larger failure here that no one discusses is how is it possible that simply knowing a credit card number and expiry date gives anyone access to the money in the account . The credit card industry should be completely shame faced that the 'security' of their payment system relies on protecting numbers that can be either stolen or generated. The banking system should wake up and stop putting the onus on merchants for protecting their ridiculously insecure system.

  36. Guest Says:

    And they are watching you and laughing at Redmond, Langley and China…

  37. Beau Woodcock Says:

    Guys, Sony executives announced Anonymous is not linked to the incident.

  38. Alen Coder Says:

    I don't know about you but shopping online can get you many discounts. Such as arvixe coupon code and the best of all, when ever you are searching for stuff online, try searching for discount codes.

  39. TomPeris Says:

    Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
    While you keep putting the gold under glass pane, the thieves will try to break to get at it.

    Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off. Tennis Elbow Treatment

  40. akismet-02040afbf766e2bef0851f90f890c869 Says:

    Can't believe so much data was stolen!

    Muay Thai

  41. steelers jersey Says:

    Thank you for this great resource, these articles are very helpful (so many left to read). Awesome job and thanks again for doing something for other people on your day. steelers jersey

  42. steelers jersey Says:

    Nice post.Thank you for taking the time to publish this information very useful!I’m still waiting for some interesting thoughts from your side in your next post thanks.steelers jerseys cheap

  43. Mia Says:

    Seems that Sony is in trouble with PlayStation!
    Progress in research for Link Building Service.

  44. poker heaven review Says:

    Well, this is pretty bad for Sony! Especially considering we are in 2011 and that such a long Internet service interruption is totally unacceptable from a customer standpoint. poker heaven review