PlayStation Network outage
Encyclopedia
The PlayStation Network outage was the result of an "external intrusion
" on Sony's PlayStation Network and Qriocity
services, in which personal details from approximately 77 million accounts were stolen and prevented users of PlayStation 3
and PlayStation Portable
consoles from playing online through the service. The attack occurred between April 17, 2011 and April 19, 2011, forcing Sony to turn off the PlayStation Network on April 20, 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information
from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.
At the time of the outage, with a count of 77 million registered PlayStation Network accounts, data theft
of personally identifiable information would make it one of the largest data security breaches in history. This would surpass the TJX hack in 2007 which affected 45 million customers. Government officials in various countries have voiced concern at failing to protect customers' personal details and Sony's belated warning that user details could have been obtained in the security breach—nearly a week after the initial external intrusion.
Sony stated on April 26 that it was attempting to get online services running again "within a week". On May 14, 2011, Sony released PlayStation 3 firmware version 3.61 as a security patch. The firmware required users to change their password upon signing into the PlayStation Network. At the time the firmware was released, the PlayStation Network was still offline and in preparation to be brought back online. Regional restoration was announced by Kazuo Hirai in a video from PlayStation. A map of regional restoration and the network within the United States was shared as the service was being brought back online.
, users would receive the message indicating that the PlayStation Network is "undergoing maintenance". The following day, Sony asked its customers for patience while the cause of downtime was being investigated and stated that it may take "a full day or two" to get the service fully functional again.
The company later explained that an "external intrusion" had affected the PlayStation Network and Qriocity
services. This intrusion had occurred between April 17 and April 19. On April 20, Sony had suspended all PlayStation Network and Qriocity services worldwide, causing the outage. Sony expressed their regrets for the downtime and called the task of re-building the system time consuming. This, however, would lead to a stronger network infrastructure and additional security. On April 25, Sony's Senior Director of Corporate Communications & Social Media
, Patrick Seybold, reiterated on the PlayStation Blog that fixing and enhancing the network was a "time intensive" process with no currently available ETA. However, the next day Sony stated that there was a "clear path to have PlayStation Network and Qriocity systems back online", with some services expected to be restored within a week. Furthermore, Sony stated that there had been a "compromise of personal information as a result of an illegal intrusion on our systems."
On May 1, 2011, Sony announced a "Welcome Back" program for customers affected by the outage. The company also confirmed that some PSN and Qriocity services would be available during the first week of May. The list of services expected to become available included:
On May 2, 2011, Sony issued a press release, according to which the Sony Online Entertainment
services had been taken offline for maintenance due to potentially related activities during the initial criminal hack that caused the PlayStation Network outage. Over 12,000 credit card numbers from non-U.S. cardholders and additional information from 24.7 million SOE accounts may have been stolen.
During the week, Sony sent a written letter to the US House of Representatives, answering questions and concerns about the event. In the letter Sony announced that they would be providing Identity Theft insurance polices in the amount of $1 million USD per user of the PlayStation Network and Qriocity services despite no reports of credit card fraud being indicated. This was later confirmed on the PlayStation Blog, where it was announced that the service, AllClear ID
Plus powered by Debix
, would available to users in the United States free for 12 months, and is to include internet surveillance, complete identity repair in the event of theft and a $1 million ID theft insurance policy for each user.
On May 6, 2011, Sony stated they had begun "final stages of internal testing" for the PlayStation Network, which had been rebuilt. However, the following day Sony reported that they would not be able to bring PSN services back online within the one-week timeframe given on May 1, because "the extent of the attack on Sony Online Entertainment servers" had not been known at the time. Sony Online Entertainment confirmed by means of their Twitter account that their games would not be available until some undisclosed time after the weekend.
At the same time, reports from Reuters began reporting the event as "the biggest Internet security break-in ever" with more direct answers from the Corporation in which a Sony spokesperson said:
On May 15, 2011, various PlayStation Network services began being brought back online on a country-by-country basis, starting with North America. These services include: sign-in for PSN and Qriocity services (including password resetting), online game-play on PS3 and PSP, playback of rental video content, Music Unlimited service (PS3 and PC), access to third party services (such as Netflix, Hulu, Vudu and MLB.tv), friends list, chat functionality and PlayStation Home. This accompanies a firmware update for the PS3, version 3.61. However, as of May 15, 2011, reinstatement of the service in Japan and East Asia has not yet been approved.
On May 18, 2011, SCE shut down the password reset page on their site following the discovery of an exploit in the system, which allowed users to reset other users' passwords, as long as they knew the email address and date of birth of the user. Sign-in using PSN details to various other Sony websites was also disabled, but console sign-ins were not affected.
On May 23, 2011 Sony stated that the costs of the PlayStation Network outage were $171 million.
Sony relayed during the letters that:
meant that Sony provided an update in regards to a criminal investigation in a blog posted on April 27, 2011: "We are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible."
On April 3, 2011, Sony Computer Entertainment CEO Kaz Hirai reiterated this and said the "external intrusion" which had caused them to shut down the PlayStation Network constituted a "criminal cyber attack". Hirai expanded further, claiming that Sony systems had been under attack prior to the PlayStation Network outage "for the past month and half", suggesting a concerted attempt to target Sony.
On May 4, 2011, Sony announced that it was adding another company to the investigation team. Data Forte will join Guidance Software and Protiviti
in analysing the attacks. Legal aspects of the case will be handled by law firm Baker & McKenzie. Sony stated their belief that Anonymous
, or some portion thereof, may have set the stage for the attack. Anonymous denied involvement.
Upon learning that a breach had occurred to the PlayStation Network, Sony launched an internal investigation. Sony reported, in its letter to the United States Congress:
Additional details were provided as follows:
was unable to play certain Capcom
titles that were downloaded from the PlayStation Store. Streaming video providers throughout different regions such as Hulu
, Vudu, Netflix
and LoveFilm
are noted to be inaccessible displaying the same maintenance message, although some users have claimed to have been able to still use Netflix
's streaming service.
such as PlayStation Network account username, password, home address, and email address had been compromised. Sony also mentioned the possibility of credit card data being obtained after claiming that encryption had been placed on the databases, which would partially satisfy PCI Compliance for storing credit card information on a server.
Subsequent to the announcement in both the official blog and by e-mail, PlayStation Network users were asked to safeguard credit card transactions by checking bank statements. This warning came nearly a week after the initial "external intrusion
" and when the Network was turned off.
Some disputed this explanation and queried that if Sony deemed the situation so severe that they had to turn off the PlayStation Network on April 20, 2011, Sony should have subsequently warned users of possible data theft rather than on April 26, 2011. Concerns have been raised over both violations of PCI Compliance and failure to notify users immediately following breach of security involving financial information and credit card data. US Senator Richard Blumenthal wrote to Sony Computer Entertainment America CEO Jack Tretton
questioning Sony why it took so long to inform users that personal details could have been obtained through unauthorized means.
Sony stated in their letter to the subcommittee:
reported that "If the provider stores passwords unencrypted, then it's very easy for somebody else – not just an external attacker, but members of staff or contractors working on Sony's site – to get access and discover those passwords, potentially using them for nefarious means."
On May 2, Sony clarified the "unencrypted" status of users' passwords, stating that:
servers being compromised and taken offline on the previous day. This portion of the attack resulted in the theft of information on 24.6 million Sony Online Entertainment account holders. The database contained 12,700 credit card numbers, particularly those of non-U.S. cardholders, and had not been in use since 2007 as much of the data contained within applies to expired cards and accounts that have been deleted. Sony updated this information the following day by stating that only 900 cards on the database were still live. The discovery of this attack resulted in the suspension of Sony Online Entertainment servers as well as SOE Facebook
games. Sony Online Entertainment has already stated that they plan to grant 30 days of free time, plus a day for each day the server is down, to users of Clone Wars Adventures
, DC Universe Online
, EverQuest
, EverQuest II
, EverQuest Online Adventures
, Free Realms
, Pirates of the Burning Sea
, PlanetSide
, Poxnora
, Star Wars Galaxies
, and Vanguard: Saga of Heroes
, as well as other forms of compensation for all other Sony Online games.
Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada
and Avner Levin of Ryerson University
criticized Sony, questioning its methods of securing and storing user data. Lapidous called the breach "difficult to excuse" and Wisniewski called it "an act of hubris or simply gross incompetence".
website SonyPictures.com
was hacked on 2 June 2011, with unencrypted
passwords and personal information of Sony customers within the website's database being discovered by the hackers.
Hulu
has also given notice that they will be compensating PlayStation 3 users for the inability to use their service during the outage. They are offering one week of service compensatory to all Hulu Plus members.
On May 16, 2011, Sony announced that two PlayStation 3 games and two PSP games would be offered for free from lists of five and four (respectively) once the PlayStation Store has regained functionality. The games available varies by region and are only available in countries which have access to the PlayStation Store. On May 27, 2011, Sony announced the "welcome back" package for Japan and the Asia region (Hong Kong, Singapore, Malaysia, Thailand and Indonesia). In the Asia region, a theme - Dokodemo Issyo Spring Theme - will be offered for free in addition to the games available in the "welcome back" package.
5 PSP games are offered in the Japanese market.
Killzone Liberation will not offer online gameplay functionality.
, said that the breach "certainly ranks as one of the biggest data losses ever to affect individuals". The British Information Commissioner's Office stated that Sony will be questioned, and that an investigation will take place to discover whether Sony had taken adequate precautions to protect customer details. If found in breach of the UK's Data Protection Act, Sony could face fines of up to £500,000. The Privacy Commissioner of Canada
, Jennifer Stoddart
confirmed that the Canadian authorities would investigate the incident, and the Commissioner's office conveyed their concern as to why the authorities in Canada weren't informed of a security breach earlier. US Senator Richard Blumenthal
of Connecticut
demanded answers from Sony about the data breach by emailing SECA CEO Jack Tretton
arguing about the delay in informing its customers and insisting that Sony do more for its customers than just offer free credit reporting services. Senator Blumenthal later called for an investigation of the breach to be launched by the US Department of Justice to find the person or persons responsible for the breach and to determine if Sony may be liable for the way that it handled the situation. Congresswoman Mary Bono Mack and Congressman G. K. Butterfield
sent a letter to Sony, demanding information on when the breach was discovered and how the crisis will be handled. Sony had been asked to testify before a congressional hearing on security and to answer questions about the breach of security on May 2, 2011 but sent a letter response instead which answered the subcommittee's questions.
on behalf of all PlayStation users alleging Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back online." According to the complaint filed in the lawsuit, Sony has failed to notify members of a possible security breach and storing members' credit card information, a violation of PCI Compliance—the digital security standard for the Payment Card Industry.
Another lawsuit was filed in Canada by Natasha Maksimovic and claims damages up to C$
1 billion which includes free credit monitoring and identity theft insurance. It was filed against Sony USA, Sony Canada and Sony Japan. The plaintiff in the case is quoted as saying: "If you can't trust a huge multi-national corporation like Sony to protect your private information, who can you trust? It appears to me that Sony focuses more on protecting its games than its PlayStation users".
Sony stated in their letter to the subcommittee:
On May 5, a letter from United States Sony Corporation of America CEO and President Sir Howard Stringer further emphasized that there had been no evidence of credit card fraud and that a $1 million dollar identity theft insurance policy would be available to PSN and Qriocity users:
) to sue Sony over any future security breaches. This also includes any ongoing class action suits initiated prior to the August 20, 2011.
Another clause, which theoretically removes a user's right to trial by jury, if the user does opt out of the clause (done by sending a letter to Sony), says:
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
" on Sony's PlayStation Network and Qriocity
Qriocity
Sony Entertainment Network , formerly called Qriocity , is a trading name for Sony Corporation's streaming music, games, e-books and video on demand services. A video streaming service with the name has been available in the United States since April 2010...
services, in which personal details from approximately 77 million accounts were stolen and prevented users of PlayStation 3
PlayStation 3
The is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft's Xbox 360 and Nintendo's Wii as part of the seventh generation of video game consoles...
and PlayStation Portable
PlayStation Portable
The is a handheld game console manufactured and marketed by Sony Corporation Development of the console was announced during E3 2003, and it was unveiled on , 2004, at a Sony press conference before E3 2004...
consoles from playing online through the service. The attack occurred between April 17, 2011 and April 19, 2011, forcing Sony to turn off the PlayStation Network on April 20, 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.
At the time of the outage, with a count of 77 million registered PlayStation Network accounts, data theft
Data theft
Data theft is a growing problem primarily perpetrated by office workers with access to technology such as desktop computers and hand-held devices capable of storing digital information such as USB flash drives, iPods and even digital cameras...
of personally identifiable information would make it one of the largest data security breaches in history. This would surpass the TJX hack in 2007 which affected 45 million customers. Government officials in various countries have voiced concern at failing to protect customers' personal details and Sony's belated warning that user details could have been obtained in the security breach—nearly a week after the initial external intrusion.
Sony stated on April 26 that it was attempting to get online services running again "within a week". On May 14, 2011, Sony released PlayStation 3 firmware version 3.61 as a security patch. The firmware required users to change their password upon signing into the PlayStation Network. At the time the firmware was released, the PlayStation Network was still offline and in preparation to be brought back online. Regional restoration was announced by Kazuo Hirai in a video from PlayStation. A map of regional restoration and the network within the United States was shared as the service was being brought back online.
Timeline of the outage
On April 20, 2011, Sony acknowledged on the official PlayStation Blog that it was "aware certain functions of the PlayStation Network" were down. Upon attempting to sign in to the PlayStation Network via the PlayStation 3PlayStation 3
The is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft's Xbox 360 and Nintendo's Wii as part of the seventh generation of video game consoles...
, users would receive the message indicating that the PlayStation Network is "undergoing maintenance". The following day, Sony asked its customers for patience while the cause of downtime was being investigated and stated that it may take "a full day or two" to get the service fully functional again.
The company later explained that an "external intrusion" had affected the PlayStation Network and Qriocity
Qriocity
Sony Entertainment Network , formerly called Qriocity , is a trading name for Sony Corporation's streaming music, games, e-books and video on demand services. A video streaming service with the name has been available in the United States since April 2010...
services. This intrusion had occurred between April 17 and April 19. On April 20, Sony had suspended all PlayStation Network and Qriocity services worldwide, causing the outage. Sony expressed their regrets for the downtime and called the task of re-building the system time consuming. This, however, would lead to a stronger network infrastructure and additional security. On April 25, Sony's Senior Director of Corporate Communications & Social Media
Social media
The term Social Media refers to the use of web-based and mobile technologies to turn communication into an interactive dialogue. Andreas Kaplan and Michael Haenlein define social media as "a group of Internet-based applications that build on the ideological and technological foundations of Web 2.0,...
, Patrick Seybold, reiterated on the PlayStation Blog that fixing and enhancing the network was a "time intensive" process with no currently available ETA. However, the next day Sony stated that there was a "clear path to have PlayStation Network and Qriocity systems back online", with some services expected to be restored within a week. Furthermore, Sony stated that there had been a "compromise of personal information as a result of an illegal intrusion on our systems."
On May 1, 2011, Sony announced a "Welcome Back" program for customers affected by the outage. The company also confirmed that some PSN and Qriocity services would be available during the first week of May. The list of services expected to become available included:
On May 2, 2011, Sony issued a press release, according to which the Sony Online Entertainment
Sony Online Entertainment
Sony Online Entertainment is a game development and game publishing division of Sony that is best known for creating massively multiplayer online games, including EverQuest, EverQuest II, The Matrix Online, PlanetSide, Star Wars Galaxies, Free Realms, and Vanguard: Saga of Heroes, DC Universe...
services had been taken offline for maintenance due to potentially related activities during the initial criminal hack that caused the PlayStation Network outage. Over 12,000 credit card numbers from non-U.S. cardholders and additional information from 24.7 million SOE accounts may have been stolen.
During the week, Sony sent a written letter to the US House of Representatives, answering questions and concerns about the event. In the letter Sony announced that they would be providing Identity Theft insurance polices in the amount of $1 million USD per user of the PlayStation Network and Qriocity services despite no reports of credit card fraud being indicated. This was later confirmed on the PlayStation Blog, where it was announced that the service, AllClear ID
AllClear ID
AllClear ID, released in 2010, is an identity theft protection product from the company Debix. Debix was founded in 2004 and uses patented technology to alert customers of potential fraud....
Plus powered by Debix
Debix
Debix is a credit monitoring service based out of Austin, Texas. The company was founded in 2004 and reports to have protected over 800,000 consumers since. Debix provides data breach solutions for organizations as well as consumer protection through its OnCall Credit Monitoring. Major clients...
, would available to users in the United States free for 12 months, and is to include internet surveillance, complete identity repair in the event of theft and a $1 million ID theft insurance policy for each user.
On May 6, 2011, Sony stated they had begun "final stages of internal testing" for the PlayStation Network, which had been rebuilt. However, the following day Sony reported that they would not be able to bring PSN services back online within the one-week timeframe given on May 1, because "the extent of the attack on Sony Online Entertainment servers" had not been known at the time. Sony Online Entertainment confirmed by means of their Twitter account that their games would not be available until some undisclosed time after the weekend.
At the same time, reports from Reuters began reporting the event as "the biggest Internet security break-in ever" with more direct answers from the Corporation in which a Sony spokesperson said:
- Sony had removed the personal details of 2,500 people stolen by hackers and posted on a website
- The data included names and some addresses, which were in a database created in 2001
- No date had been fixed for the restart
On May 15, 2011, various PlayStation Network services began being brought back online on a country-by-country basis, starting with North America. These services include: sign-in for PSN and Qriocity services (including password resetting), online game-play on PS3 and PSP, playback of rental video content, Music Unlimited service (PS3 and PC), access to third party services (such as Netflix, Hulu, Vudu and MLB.tv), friends list, chat functionality and PlayStation Home. This accompanies a firmware update for the PS3, version 3.61. However, as of May 15, 2011, reinstatement of the service in Japan and East Asia has not yet been approved.
On May 18, 2011, SCE shut down the password reset page on their site following the discovery of an exploit in the system, which allowed users to reset other users' passwords, as long as they knew the email address and date of birth of the user. Sign-in using PSN details to various other Sony websites was also disabled, but console sign-ins were not affected.
On May 23, 2011 Sony stated that the costs of the PlayStation Network outage were $171 million.
US House of Representatives
Sony reported on the May 4, 2011, to the PlayStation Blog that:Sony relayed during the letters that:
Explanation of delays
Sony explained on the PlayStation Blog why it took so long to inform PSN users of the data theft:Sony investigation
Possible data theftData theft
Data theft is a growing problem primarily perpetrated by office workers with access to technology such as desktop computers and hand-held devices capable of storing digital information such as USB flash drives, iPods and even digital cameras...
meant that Sony provided an update in regards to a criminal investigation in a blog posted on April 27, 2011: "We are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible."
On April 3, 2011, Sony Computer Entertainment CEO Kaz Hirai reiterated this and said the "external intrusion" which had caused them to shut down the PlayStation Network constituted a "criminal cyber attack". Hirai expanded further, claiming that Sony systems had been under attack prior to the PlayStation Network outage "for the past month and half", suggesting a concerted attempt to target Sony.
On May 4, 2011, Sony announced that it was adding another company to the investigation team. Data Forte will join Guidance Software and Protiviti
Protiviti
Protiviti is a global consulting and internal audit firm specializing in risk and advisory services. Protiviti’s customers are in the areas of finance, operations, technology, litigation, and governance, risk and compliance. Protiviti has offices in 61 major markets, with 33 in the United States...
in analysing the attacks. Legal aspects of the case will be handled by law firm Baker & McKenzie. Sony stated their belief that Anonymous
Anonymous (group)
Anonymous is an international hacking group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity. Originating in 2003 on the imageboard 4chan, the term refers to the concept of many online community users simultaneously existing as an anarchic,...
, or some portion thereof, may have set the stage for the attack. Anonymous denied involvement.
Upon learning that a breach had occurred to the PlayStation Network, Sony launched an internal investigation. Sony reported, in its letter to the United States Congress:
Additional details were provided as follows:
Inability to use PlayStation 3 content
While remaining offline, the PlayStation 3PlayStation 3
The is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft's Xbox 360 and Nintendo's Wii as part of the seventh generation of video game consoles...
was unable to play certain Capcom
Capcom
is a Japanese developer and publisher of video games, known for creating multi-million-selling franchises such as Devil May Cry, Chaos Legion, Street Fighter, Mega Man and Resident Evil. Capcom developed and published Bionic Commando, Lost Planet and Dark Void too, but they are less known. Its...
titles that were downloaded from the PlayStation Store. Streaming video providers throughout different regions such as Hulu
Hulu
Hulu is a website and over-the-top subscription service offering ad-supported on-demand streaming video of TV shows, movies, webisodes and other new media, trailers, clips, and behind-the-scenes footage from NBC, Fox, ABC, and Obstacle on October 20th 2011 Nickelodeon and CBS and many other...
, Vudu, Netflix
Netflix
Netflix, Inc., is an American provider of on-demand internet streaming media in the United States, Canada, and Latin America and flat rate DVD-by-mail in the United States. The company was established in 1997 and is headquartered in Los Gatos, California...
and LoveFilm
LoveFilm
LoveFilm is a UK-based provider of home video and video game rental through DVD-by-mail and streaming video on demand in the UK, Germany and Scandinavia...
are noted to be inaccessible displaying the same maintenance message, although some users have claimed to have been able to still use Netflix
Netflix
Netflix, Inc., is an American provider of on-demand internet streaming media in the United States, Canada, and Latin America and flat rate DVD-by-mail in the United States. The company was established in 1997 and is headquartered in Los Gatos, California...
's streaming service.
Criticism of Sony's handling of the incident
Delayed warning of possible data theft
On April 26, 2011, nearly a week after the Network was temporarily disabled, Sony confirmed that it "cannot rule out the possibility" that personally identifiable informationPersonally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
such as PlayStation Network account username, password, home address, and email address had been compromised. Sony also mentioned the possibility of credit card data being obtained after claiming that encryption had been placed on the databases, which would partially satisfy PCI Compliance for storing credit card information on a server.
Subsequent to the announcement in both the official blog and by e-mail, PlayStation Network users were asked to safeguard credit card transactions by checking bank statements. This warning came nearly a week after the initial "external intrusion
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
" and when the Network was turned off.
Some disputed this explanation and queried that if Sony deemed the situation so severe that they had to turn off the PlayStation Network on April 20, 2011, Sony should have subsequently warned users of possible data theft rather than on April 26, 2011. Concerns have been raised over both violations of PCI Compliance and failure to notify users immediately following breach of security involving financial information and credit card data. US Senator Richard Blumenthal wrote to Sony Computer Entertainment America CEO Jack Tretton
Jack Tretton
Jack Tretton is the President and CEO of Sony Computer Entertainment of America , a division of Sony Computer Entertainment, which is a subsidiary of Sony Corporation...
questioning Sony why it took so long to inform users that personal details could have been obtained through unauthorized means.
Sony stated in their letter to the subcommittee:
Unencrypted personal details
Credit card data was encrypted, but Sony admitted that other user information was not encrypted at the time of the intrusion. The Daily TelegraphThe Daily Telegraph
The Daily Telegraph is a daily morning broadsheet newspaper distributed throughout the United Kingdom and internationally. The newspaper was founded by Arthur B...
reported that "If the provider stores passwords unencrypted, then it's very easy for somebody else – not just an external attacker, but members of staff or contractors working on Sony's site – to get access and discover those passwords, potentially using them for nefarious means."
On May 2, Sony clarified the "unencrypted" status of users' passwords, stating that:
Sony Online Entertainment outage
On May 3, 2011, Sony stated in a press release that there may be a correlation between the same attack that had occurred on April 16, 2011, towards the PlayStation Network which resulted in the Sony Online EntertainmentSony Online Entertainment
Sony Online Entertainment is a game development and game publishing division of Sony that is best known for creating massively multiplayer online games, including EverQuest, EverQuest II, The Matrix Online, PlanetSide, Star Wars Galaxies, Free Realms, and Vanguard: Saga of Heroes, DC Universe...
servers being compromised and taken offline on the previous day. This portion of the attack resulted in the theft of information on 24.6 million Sony Online Entertainment account holders. The database contained 12,700 credit card numbers, particularly those of non-U.S. cardholders, and had not been in use since 2007 as much of the data contained within applies to expired cards and accounts that have been deleted. Sony updated this information the following day by stating that only 900 cards on the database were still live. The discovery of this attack resulted in the suspension of Sony Online Entertainment servers as well as SOE Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
games. Sony Online Entertainment has already stated that they plan to grant 30 days of free time, plus a day for each day the server is down, to users of Clone Wars Adventures
Clone Wars Adventures
Star Wars: Clone Wars Adventures is a comic book series, part of the fictional Star Wars galaxy.It is aimed towards a younger audience than the Star Wars: Clone Wars comic book series...
, DC Universe Online
DC Universe Online
DC Universe Online or DCUO is an MMORPG by Sony Online Entertainment – Austin. Jim Lee serves as the game's Executive Creative Director, along with Carlos D'Anda, JJ Kirby, Oliver Nome, Eddie Nuñez, Livio Ramondelli, and Michael Lopez...
, EverQuest
EverQuest
EverQuest, often shortened to EQ, is a 3D fantasy-themed massively multiplayer online role-playing game that was released on the 16th of March, 1999. The original design is credited to Brad McQuaid, Steve Clover, and Bill Trost...
, EverQuest II
EverQuest II
EverQuest II is a 3D fantasy massively multiplayer online role-playing game developed by Sony Online Entertainment , based on EverQuest, and shipped on 8 November 2004...
, EverQuest Online Adventures
EverQuest Online Adventures
EverQuest Online Adventures is a fantasy massively multiplayer online role-playing game for the PlayStation 2. EQOA is one of the few MMORPGs released on a video game console...
, Free Realms
Free Realms
Free Realms is a massively multiplayer online role playing video game developed by Sony Online Entertainment set in a fantasy-themed world, named Sacred Grove for the PC, Mac and PlayStation 3. The game was released on April 29, 2009, for the Windows PC...
, Pirates of the Burning Sea
Pirates of the Burning Sea
Pirates of the Burning Sea is a massively multiplayer online role-playing game developed by Flying Lab Software...
, PlanetSide
PlanetSide
PlanetSide is a massively-multiplayer online first-person-shooter computer game published by Sony Online Entertainment and released on May 20, 2003....
, Poxnora
PoxNora
PoxNora: Battlefield of the Immortals is a multiplayer online game that combines a collectible card game with a turn-based strategy game in a fantasy setting. PoxNora was originally launched via Java Web Start through a browser and can be played on Microsoft Windows, Mac OS X, and Linux...
, Star Wars Galaxies
Star Wars Galaxies
Star Wars Galaxies is a Star Wars themed MMORPG for Microsoft Windows developed by Sony Online Entertainment and published by LucasArts.-History:...
, and Vanguard: Saga of Heroes
Vanguard: Saga of Heroes
Vanguard: Saga of Heroes is a high fantasy-themed massively multiplayer online role-playing game created by Sigil Games Online, and now developed and run by Sony Online Entertainment. Originally, the game was co-published by Sony Online Entertainment , and the company producing it, Sigil Games...
, as well as other forms of compensation for all other Sony Online games.
Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada
Sophos
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
and Avner Levin of Ryerson University
Ryerson University
Ryerson University is a public research university located in downtown Toronto, Ontario, Canada. Its urban campus is adjacent to Yonge-Dundas Square located at the busiest intersection in Downtown Toronto. The majority of its buildings are in the blocks northeast of the square in Toronto's Garden...
criticized Sony, questioning its methods of securing and storing user data. Lapidous called the breach "difficult to excuse" and Wisniewski called it "an act of hubris or simply gross incompetence".
Sony Pictures Entertainment website hacking
The SonySony
, commonly referred to as Sony, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan and the world's fifth largest media conglomerate measured by revenues....
website SonyPictures.com
Sony Pictures Entertainment
Sony Pictures Entertainment, Inc. is the television and film production/distribution unit of Japanese multinational technology and media conglomerate Sony...
was hacked on 2 June 2011, with unencrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
passwords and personal information of Sony customers within the website's database being discovered by the hackers.
Compensation to users
Sony has stated that they will be hosting special events after the PlayStation Network is brought back online. Sony has also stated they have plans for PS3 versions of DC Universe Online and Free Realms to help alleviate some of their losses. Sony is currently evaluating ways to show their appreciation towards their users who do not play MMOGs for their patience with them during the outage. In a press conference in Tokyo on May 1, Sony announced a "Welcome Back" program for users when the service is restored. As well as "selected PlayStation entertainment content" the program promises to include 30 days free membership of PlayStation Plus for all PSN members, existing PlayStation Plus members will receive an additional 30 days added to their subscription, Qriocity subscribers also receive 30 days. Sony also promised other content and services over the coming weeks. Sony also offered one year free identity theft protection to all users with details forthcoming.Hulu
Hulu
Hulu is a website and over-the-top subscription service offering ad-supported on-demand streaming video of TV shows, movies, webisodes and other new media, trailers, clips, and behind-the-scenes footage from NBC, Fox, ABC, and Obstacle on October 20th 2011 Nickelodeon and CBS and many other...
has also given notice that they will be compensating PlayStation 3 users for the inability to use their service during the outage. They are offering one week of service compensatory to all Hulu Plus members.
On May 16, 2011, Sony announced that two PlayStation 3 games and two PSP games would be offered for free from lists of five and four (respectively) once the PlayStation Store has regained functionality. The games available varies by region and are only available in countries which have access to the PlayStation Store. On May 27, 2011, Sony announced the "welcome back" package for Japan and the Asia region (Hong Kong, Singapore, Malaysia, Thailand and Indonesia). In the Asia region, a theme - Dokodemo Issyo Spring Theme - will be offered for free in addition to the games available in the "welcome back" package.
5 PSP games are offered in the Japanese market.
| Game | North America | Europe (non-Germany) | Germany | Asia | Japan |
|---|---|---|---|---|---|
| Wipeout HD/Fury Wipeout HD Wipeout HD, trademarked and stylised as WipEout HD, is the eighth title in the Wipeout racing video game series, developed by Sony Liverpool for the PlayStation 3 console... |
|||||
| LittleBigPlanet LittleBigPlanet LittleBigPlanet, commonly abbreviated LBP, is a puzzle platformer video game, based on user-generated content, for the PlayStation 3 first announced on 7 March 2007, by Phil Harrison at the Game Developers Conference in San Francisco, California... |
|||||
| InFamous | |||||
| Dead Nation Dead Nation Dead Nation is a shoot 'em up video game for PlayStation 3 developed by a Finnish video game company Housemarque. It was released on November 30, 2010 in North America, and December 1 in Europe, on PlayStation Network. Dead Nation takes place in a fictional world afflicted by a zombie apocalypse... |
|||||
| Super Stardust HD Super Stardust HD Super Stardust HD is a downloadable game for the PlayStation 3 video game console developed by the Finnish company Housemarque. It is also known as Star Strike HD in Japan.... |
|||||
| Ratchet & Clank: Quest for Booty | |||||
| Hustle Kings Hustle Kings Hustle Kings is a pool video game developed by VooFoo Studios for the PlayStation 3. It was released on the PlayStation Store in Europe on 22 December 2009 and in North America on 28 January 2010. The game features a career mode as well as various trick shot and tournament modes... |
|||||
| The Last Guy The Last Guy The Last Guy is a PlayStation Network title for the PlayStation 3. It is available as a downloadable game on the PlayStation Store. The game is a rescue game in which the eponymous player character must guide civilians to escape from monster-infested cities. On July 31, 2008, it was released in Japan... |
|||||
| Trashbox | |||||
| Come on, LocoRoco!! BuuBuu Cocoreccho | |||||
| Echochrome: Overture Echochrome is a puzzle game created by Sony's JAPAN Studio and Game Yarouze, which is available for PlayStation 3 from the PlayStation Store and for PlayStation Portable on either UMD or from the PlayStation Store. Gameplay involves a mannequin figure traversing a rotatable world where physics and reality... |
| Game | North America | Europe (non-Germany) | Germany | Asia | Japan |
|---|---|---|---|---|---|
| LittleBigPlanet PSP | |||||
| ModNation Racers PSP ModNation Racers ModNation Racers is a kart racing game developed by United Front Games for the PlayStation 3 and PlayStation Portable. User generated content will be a central aspect of the game, such that it uses the same "Play, Create, Share." adage as LittleBigPlanet to convey its basis in online user-generated... |
|||||
| Pursuit Force Pursuit Force Pursuit Force is a video game for the PlayStation Portable. It puts the player in the role of a police agent who joins up to a law enforcement agency known as the Pursuit Force, to restore order to a city overrun with crime. This elite unit specialises in direct armed encounters with adversaries,... |
|||||
| Killzone Liberation | |||||
| Everybody's Golf 2 Everybody's Golf 2 is the second game in the Everybody's Golf series and the second game released for PlayStation. It was released on July 29, 1999 in Japan, February 29, 2000 in North America and April 19, 2000 in Europe.... |
|||||
| Buzz Junior Jungle Party | |||||
| Everybody's Stress Buster | |||||
| Locoroco Midnight Carnival LocoRoco is a platform video game released worldwide in 2006 for the PlayStation Portable handheld game console, and developed and published by Sony Computer Entertainment. The game was developed by Tsutomu Kouno, striving to create a game that was different than other titles being released for the PSP at... |
|||||
| Patapon 2 Patapon 2 is a video game by Sony Computer Entertainment. It is a sequel to Patapon.The game was released in Japan, Europe, and Australia before North America, and in North America it was first available only as a digital download via the PlayStation Store, as a "test case" to gauge the success of digital... |
|||||
| What Did I Do To Deserve This, My Lord? |
Killzone Liberation will not offer online gameplay functionality.
Government reaction
The revealing of possible data theft concerned authorities around the world. Graham Cluley, senior technology consultant at SophosSophos
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
, said that the breach "certainly ranks as one of the biggest data losses ever to affect individuals". The British Information Commissioner's Office stated that Sony will be questioned, and that an investigation will take place to discover whether Sony had taken adequate precautions to protect customer details. If found in breach of the UK's Data Protection Act, Sony could face fines of up to £500,000. The Privacy Commissioner of Canada
Privacy Commissioner of Canada
The Privacy Commissioner of Canada is a special ombudsman and an officer of parliament who reports directly to the House of Commons and the Senate....
, Jennifer Stoddart
Jennifer Stoddart
Jennifer Stoddart is the current Privacy Commissioner of Canada.Stoddart received a licence in civil law from McGill University as well as a Master of Arts in history from the Université du Québec à Montréal. On December 1, 2003, Stoddart was appointed Canada's Privacy Commissioner by the Governor...
confirmed that the Canadian authorities would investigate the incident, and the Commissioner's office conveyed their concern as to why the authorities in Canada weren't informed of a security breach earlier. US Senator Richard Blumenthal
Richard Blumenthal
Richard Blumenthal is the junior United States Senator from Connecticut and a member of the Democratic Party. Previously, he served as Attorney General of Connecticut....
of Connecticut
Connecticut
Connecticut is a state in the New England region of the northeastern United States. It is bordered by Rhode Island to the east, Massachusetts to the north, and the state of New York to the west and the south .Connecticut is named for the Connecticut River, the major U.S. river that approximately...
demanded answers from Sony about the data breach by emailing SECA CEO Jack Tretton
Jack Tretton
Jack Tretton is the President and CEO of Sony Computer Entertainment of America , a division of Sony Computer Entertainment, which is a subsidiary of Sony Corporation...
arguing about the delay in informing its customers and insisting that Sony do more for its customers than just offer free credit reporting services. Senator Blumenthal later called for an investigation of the breach to be launched by the US Department of Justice to find the person or persons responsible for the breach and to determine if Sony may be liable for the way that it handled the situation. Congresswoman Mary Bono Mack and Congressman G. K. Butterfield
G. K. Butterfield
George Kenneth Butterfield, Jr. is the U.S. Representative for , serving since 2004. He is a member of the Democratic Party. The district is located in the northeastern corner of the state.-Early life and education:...
sent a letter to Sony, demanding information on when the breach was discovered and how the crisis will be handled. Sony had been asked to testify before a congressional hearing on security and to answer questions about the breach of security on May 2, 2011 but sent a letter response instead which answered the subcommittee's questions.
Legal action against Sony
A lawsuit was posted on April 27, 2011, by Kristopher Johns from Birmingham, AlabamaBirmingham, Alabama
Birmingham is the largest city in Alabama. The city is the county seat of Jefferson County. According to the 2010 United States Census, Birmingham had a population of 212,237. The Birmingham-Hoover Metropolitan Area, in estimate by the U.S...
on behalf of all PlayStation users alleging Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back online." According to the complaint filed in the lawsuit, Sony has failed to notify members of a possible security breach and storing members' credit card information, a violation of PCI Compliance—the digital security standard for the Payment Card Industry.
Another lawsuit was filed in Canada by Natasha Maksimovic and claims damages up to C$
Canadian dollar
The Canadian dollar is the currency of Canada. As of 2007, the Canadian dollar is the 7th most traded currency in the world. It is abbreviated with the dollar sign $, or C$ to distinguish it from other dollar-denominated currencies...
1 billion which includes free credit monitoring and identity theft insurance. It was filed against Sony USA, Sony Canada and Sony Japan. The plaintiff in the case is quoted as saying: "If you can't trust a huge multi-national corporation like Sony to protect your private information, who can you trust? It appears to me that Sony focuses more on protecting its games than its PlayStation users".
Credit card fraud
As of May 2011, there have been no verifiable reports of credit card fraud related to the PlayStation Network outage. There have been reports from the Internet that some PlayStation users have experienced credit card fraud; however, these reported fraud cases have yet to be linked to the incident. Users who have registered a credit card for use only with Sony have also reported credit card fraud. Sony has claimed that the CSC codes requested by their services were not stored, but it has been suggested that the hackers may have been able to decrypt or record credit card details while inside Sony's network.Sony stated in their letter to the subcommittee:
On May 5, a letter from United States Sony Corporation of America CEO and President Sir Howard Stringer further emphasized that there had been no evidence of credit card fraud and that a $1 million dollar identity theft insurance policy would be available to PSN and Qriocity users:
Change to Terms and Conditions
It has been suggested that a change to the PSN Terms and Conditions announced on September 15, 2011 has been motivated by the large damages from class action suits against Sony resulting from the hack and subsequent network outage, so as to minimise the financial losses to the company in future. Using the PlayStation Network now requires users to agree to terms and conditions which include a clause (Section 15) where the user gives up their right (to join together as a group in a Class actionClass action
In law, a class action, a class suit, or a representative action is a form of lawsuit in which a large group of people collectively bring a claim to court and/or in which a class of defendants is being sued...
) to sue Sony over any future security breaches. This also includes any ongoing class action suits initiated prior to the August 20, 2011.
Another clause, which theoretically removes a user's right to trial by jury, if the user does opt out of the clause (done by sending a letter to Sony), says: