Playstation Network Breach: It’s Really, Really Bad
By Jared Newman | Tuesday, April 26, 2011 at 2:17 pm
Sony’s Playstation Network outage has gone from one of the worst Internet service interruptions ever to one of the worst security failures in consumer electronics history.
If you’re one of the 70 million members of the Playstation Network or Qriocity services, all of your personal and login information is compromised. Everything. That includes your name, address, e-mail address, birthday, user name and password. Your profile data, purchase history and password security answers may be compromised as well.
Sony says there’s no evidence that credit card information was taken, but it “cannot rule out the possibility.” Sony’s encouraging PSN users to keep a close watch on their credit card statements, and has provided information for users who want to set up fraud alerts. You can find those details at the official Playstation Blog.
As for when PSN will be back up, Sony says it has “a clear path” to bring systems back online, and hopes to restore “some services within a week.” However, Sony now has much bigger problems, having let a wealth of personal information, and possibly financial information, fall into the wrong hands.
All users will be getting a notification from Sony via e-mail, advising them to change their passwords for PSN (once it’s back online) and any other service for which the same password is used. Users are also warned to watch out for e-mail, postal and telephone scams. Understatement of the year goes to this sentence in Sony’s letter: “We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.”
42 Comments
Read more:
42 Comments For This Post
April 26th, 2011 at 1:47 pm
EPIC FAIL
April 26th, 2011 at 6:19 pm
Absolutely appalling Fail. Seriously – this is disgraceful. And what can you do about it? Nothing 🙁
April 27th, 2011 at 4:47 am
If card data has got iout, they would be in breach of PCI DSS regulations.
TJ Maxx got an absolute arse kicking over a broadbly similar breach several tyears ago – looks like no-one has learned a sodding thing.
April 27th, 2011 at 5:32 am
If cc info didn’t get out is this really that big of a deal. Most of this info (aside from the pw) is available on most people on the net anyway. If you are using the same pw everywhere you get what you deserve.
April 27th, 2011 at 5:32 am
My credit card details must have been compromised by psn, I had my bank call me on Monday 2 successful fraudulent online purchases and 1 for £1600 made on Sunday which my bank luckily checked with me before accepting.
April 27th, 2011 at 5:32 am
Until companies and institutions face credible liability there will remain little incentive for them to devote little more than the minimum effort to security.
Unfortunately the public by and large accepts this as "pay to play" and has become complacent about breaches.
April 27th, 2011 at 5:35 am
How can this information not be encrypted on the servers, or was it the same key as the ps3.
April 27th, 2011 at 6:00 am
GEOHOT, have you been a bad boy?
April 27th, 2011 at 6:39 am
Even if they encrypted your password, you can "decode" the encryption using rainbow tables if your password is not too complex. So whether or not it was encrypted is irrelevant if you use a simple password.
April 27th, 2011 at 7:04 am
IF you're using passwords THAT simple, you are subject to Darwin.
April 27th, 2011 at 2:54 pm
No problem if well salted by Sony…
April 27th, 2011 at 6:46 am
Encryption doesn’t work for addresses, names and phones BC the server has to be able to use them. Security qa sb hashed, or btr still use phone… For credit cards, billing needs to work like PayPal agreements – one authorization agreement and a shared secret at purchase time. But no credit card company supports that. So for recurring billing and credit, they have to store the whole number with reversible encryption and that is harder to defend – and is not taught properly. Stuff like Linq and nhibernate make iteasier to do the wrong way.
Sony did it wrong, but they had tons of help.!
April 27th, 2011 at 6:55 am
Perhaps if they spent less time going after the less than 1% of people who root their systems, and spent more building actual security, they wouldnt be having this problem
April 27th, 2011 at 7:00 am
What do you expect when you mess with hackers? You sued the kids who cracked the PS3 and you angered the modding community, also that group.. I think it was 'an0nymous'? You really think you were safe doing that? It's pure payback – anyone can see.
April 27th, 2011 at 7:03 am
Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
While you keep putting the gold under glass pane, the thieves will try to break to get at it.
Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off.
April 27th, 2011 at 7:21 am
This whole situation has class action suit written all over it.
April 27th, 2011 at 7:33 am
The interesting thing is that 70+ million people have accounts on PSN… That's probably more than most banks. Sigh… I would like to think that the group responsible for ensuring the security of those 70+ million accounts is standing on their heads right now worried about 2 things– 1) the inexcusable breach that allowed apparently unrestricted access to the PSN database and 2) where they plan to spend the rest of their natural lives, considering a breach this large might be considered criminal negligence. Even if they were sentenced to a single hour of jail time for each account breached,that's still 7,991 years… 🙂
April 27th, 2011 at 7:48 am
I'm glad you all have opinions, now let's just hope this gets back up soon and they can make it happen. In a world where others are concerned over their life about taking a bus to work, I think we can consider ourselves fools for making such a stink about something that is obviously a flaw in our society to be so reliant on technology to begin with. It's fun, so I'm just keeping my fingers crossed I can play some SF4 and watch my Hulu sooner rather than later.
April 27th, 2011 at 7:55 am
It is important to remember that if a company elects to store consumer credit card information, they assume the burden of protecting that information–just as they would their own. When a company fails to do that, they then become responsible for the financial liability of EACH account compromised.
While Sony is publicly suggesting that it is not likely that credit card information was compromised, the fact that they are not ruling it out is VERY significant. It implies that they cannot say, beyond a shadow of a doubt, that the CC information remains uncompromised.
From an IT perspective, this would suggest that the security measures which should have been in place to isolate sensitive financial information from general user information were either NOT there, or were also compromised.
A breach of this nature is almost certainly systemic and quite likely extends even into their corporate databases–a fact which may never reach public ears.
April 27th, 2011 at 8:03 am
Collecting sensitive personal and financial information is certainly NOT against the law–especially when it is freely provided by the owners of that information. The problem occurs when 1) the information is collected without the owner's direct knowledge and permission, and 2) when the company collecting said information does not disclose a) it's intended usage of the information and b) when said information has been compromised.
In this case, it seems as if Sony "did the right thing" by notifying the public of the breach and compromised data. In my not so humble opinion, the problem lies in the apparently lax security protocols that allowed the breach in the first place. A company like Sony, should have sufficient financial resources to implement top-notch, best-of-breed security practices and policies.
April 27th, 2011 at 8:07 am
@Mat:
You make a good point, and I'm 100% certain that Sony will make every effort to do just that–send the guilty hackers to prison. However, as I stated earlier, when a company collects sensitive personal and financial data, it assumes the responsibility for ensuring the protection of that information. So, if a single individual, or even a group of individuals, can successfully, breach Sony's security–don't you think the company has some explaining to do?
April 27th, 2011 at 12:43 pm
I agree completely, but getting services back online should be a priority. Once they have a new security system in place they can give exact details about what they had in place. Either Sony will be far in the wrong use outdated/useless security protocols, or the hackers have found something new or are very good at what they do, and Sony had security much like many others out there. Either way I'm sure heads will roll inside Sony, if I was head of security I'd be handing in my resignation even if it's the latter case above.
April 27th, 2011 at 9:02 am
Being an IT professional with over 20 years experience I feel that I can speak knowledgeably to this issue. Additionally, I have been married to an attorney for 15+ years and have discussed this matter ad nauseum with my wife.
Sony assumes no criminal liability in this breach. Sony has entered into contracts with the 70+ million subscribers and as such is limited to civil liabilities in this matter as set forth in said contracts. Consequently, Sony is only responsible for meeting the conditions of the contract as agreed to by each subscriber plus any negligence on thier part as a fudciary party in securing thier subscribers sensitive and financial information.
Sony has committed NO CRIME!
Part 1:
April 27th, 2011 at 9:03 am
Now, as for the technical aspect of this incident. If Sony was negligent in the manner in which the information was stored there may be a case for breach of an implied, or possibly stated – I am not a subscriber and have not seen nor read the contract for service, fudciary responsibility in securing subscribers sensitive information.
Sony is a large and experienced company and is, OR SHOULD BE, aware of most if not all common hack and exploits that exist in todays network / software / hardware environments. Knowing this, they should have implemented all avilable resources and technologies in an effort to prevent exposure of subscribers sensitive information.
Part 2:
April 27th, 2011 at 9:15 am
Addendum:
The last sentence in paragraph 2 of Part: 2 should read:
"Knowing this, they should have implemented all available resources technologies in an effort to prevent exposure of subscribers sensitive information."
The last sentence in paragraph 3 of Part: 3 should read:
"And NO, I am in no way affiliated with, work for or know anyone who is in any way associated with Sony!"
April 27th, 2011 at 2:47 pm
You make some interesting points, but I think your statement "Sony has committed NO CRIME!" may be a bit premature as it is far too early to determine if Sony has committed any crimes. That's not to imply guilt w/o due process–simply stating that it's too early in the game to call. However, your posts echoed my previous posts on several points, such as Sony's obligation to publicly disclose the breach, and the fact that a company of Sony's stature *SHOULD* have had top-notch data security measures in place. If Sony did not have adequate security measures, or if they were were not properly implemented, I think Sony might still have to consider criminal charges of some kind. Either way, the company has some explaining to do.
more…
April 27th, 2011 at 1:01 pm
I'd hold off on the dancing. I'd wage Sony does a better job with secure than MSFT– they probably have the XBox network on Windows servers!
April 27th, 2011 at 4:17 pm
LOL… "I'd wage Sony does a better job with secure than MSFT?" Hello MacFly!! They weren't the ones hacked *facepalm*
April 27th, 2011 at 2:03 pm
"Hacking a personal ps3 is in no way similar to hacking a multilayered, secured network. The legal and monetary ramifications are in different leagues all together. ~ Onlooker"
You're right it’s not. Hacking a PS3 is legal and still SONY put its full force behind pummeling the kid so as to send a message to all who would dare to think they own what they bought. While the hack of the PSN network is illegal and I have no doubt SONY will do its most to find the perp(s). The question is will they do equally as much to make right with the users??? Doubt it.
Like most corporations they will do as little as the law allows them to get away with and then less so long as the right peoples payoffs are up to date.
April 27th, 2011 at 8:40 pm
There's a very real possibility that anonymous did not do this. They've denied it, and that's not like a hacker group.
Additionally, this seems to open the door for the government to implement anti-privacy regulations to prohibit 'cyber terrorism' and 'protect' us on the Internet.
Sounds crazy maybe, but this is just the kind of bad PR the government needs to start pushing through regulations that limit our freedoms on the Internet.
April 27th, 2011 at 9:57 pm
PCashMan, Sony is actually criminally liable, for any person's information that was compromised who lives in Massachusetts. They passed a law last year…for any personally identifiable information that is compromised they are liable to a fine of $1Million per record. How many users do you think they have that live in Massachusetts? And personally identifiable information has been defined, in that law, as even the user's email address!
There are probably hundreds of thousands of users in Boston alone! Last I read, other states were considering similar legislation.
The company that lost the data does not have to be in Massachusetts, only the users whose data was lost.
April 28th, 2011 at 8:38 am
Makes you think on the validity of cloud computing with your data in someone else server farm.
April 28th, 2011 at 2:58 pm
Get an xBox. Everything is done with MS point purchased from retailers so you don't have to give any financial info.
April 29th, 2011 at 1:44 am
The larger failure here that no one discusses is how is it possible that simply knowing a credit card number and expiry date gives anyone access to the money in the account . The credit card industry should be completely shame faced that the 'security' of their payment system relies on protecting numbers that can be either stolen or generated. The banking system should wake up and stop putting the onus on merchants for protecting their ridiculously insecure system.
April 29th, 2011 at 4:11 am
And they are watching you and laughing at Redmond, Langley and China…
May 2nd, 2011 at 8:36 am
Guys, Sony executives announced Anonymous is not linked to the incident.
October 30th, 2011 at 6:17 am
I don't know about you but shopping online can get you many discounts. Such as arvixe coupon code and the best of all, when ever you are searching for stuff online, try searching for discount codes.
November 25th, 2011 at 5:18 am
Supernova failure but will happen again and again just because software idiots save the users' information without offering a cleanup or option to not store (for real).
While you keep putting the gold under glass pane, the thieves will try to break to get at it.
Stop this nonsense of saving credit cards data, pronto ! But I reckon there is the convenience side so you have to judge by yourself the trade-off. Tennis Elbow Treatment
December 28th, 2011 at 5:55 am
Can't believe so much data was stolen!
Muay Thai
January 12th, 2012 at 1:05 am
Thank you for this great resource, these articles are very helpful (so many left to read). Awesome job and thanks again for doing something for other people on your day. steelers jersey
January 12th, 2012 at 11:15 pm
Nice post.Thank you for taking the time to publish this information very useful!I’m still waiting for some interesting thoughts from your side in your next post thanks.steelers jerseys cheap
February 8th, 2012 at 6:30 am
Well, this is pretty bad for Sony! Especially considering we are in 2011 and that such a long Internet service interruption is totally unacceptable from a customer standpoint. poker heaven review