04/27/2011 Sony, PlayStation Network (PSN),
and Sony Online Entertainment (SOE)
a retail business in New York, New York
12,000,000 financial accounts compromised
24,600,000 non-financial accounts compromised
The New York location listed is the U.S. headquarters of Sony. A Sony data center in San Diego was attacked by cyber criminals and may have been the point of compromise.
Sony learned that 77 million Play Station Network user accounts were compromised from its PlayStation Network 4/19/2011 or earlier and it shut down the network immediately. Sony informed the public a week later, Tuesday 4/26/2011. On 5/2/2011 the count was raised by 25 million due to compromised accounts in Sony’s online multiplayer division, Sony Online Entertainment. That makes 102 million affected accounts. At $100/affected account that is a potential exposure of $10 billion dollars. At $182/affected account that is over $18.5 billion dollars.
www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426
Chronology of events
Sony discovered an external intrusion on PSN and its Qriocity music service around April 19. Sony placed an outage to block users from playing online games or accessing services like Netflix and Hulu Plus on Friday April 22. Sony says the outage will continue until the situation is addressed, which will likely be within the next week. Sony believes an unauthorized person has obtained names, addresses, email addresses, dates of birth, PlayStation Network/Qriocity password and login, and handle/PSN online IDs for multiple users. The attacker may have also stolen users’ purchase history, billing address, and password security questions. User credit card numbers may have also been obtained. Sony has hired a security firm to investigate the incident and strengthen the network infrastructure by re-building their system to provide greater protection of personal information. An individual filed a class action lawsuit on behalf of all PSN users following seven days of a Sony PlayStation Network outage. The lawsuit alleges that Sony “failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line.” It also accused Sony of violating the Payment Card Industry (PCI) security standard, which prohibits companies from storing cardholder data.
UPDATE(5/3/2011): A review of Sony’s network breach revealed that it was larger than first thought. Sony turned the SOE system off. Hackers may have taken personal information from an additional 24,600,000 user accounts in Austria, Germany, the Netherlands and Spain. Names, addresses, genders, email addresses, login name and associated password, phone numbers and birth dates of SOE gaming customers, as well as data from about 12,700 credit card accounts and 10,700 bank accounts from an outdated 2007 database could have been accessed. The outdated account information that may have been obtained by hackers includes credit card numbers, debit card numbers, expiration dates, bank account numbers, customer names, account names and customer addresses.The SOE network hosts games that are played over the Internet on personal computers and is separate from the PlayStation network. Sony has not clearly indicated if credit card numbers were compromised. At least one report indicates that the numbers were encrypted. These breached records will not be added to the total until more is known.
UPDATE(5/6/2011): Sony now indicates that some credit card numbers were compromised. Twelve million credit card numbers were unencrypted and could easily be read.
UPDATE (5/7/2011): Sony discovered that hackers had placed customer information online. Sony removed the information. It included customer names and addresses from a 2001 Sony database.Service restoration for the PlayStation network was indefinitely delayed. Additionally, the CEO issued an apology letter.
UPDATE(5/17/2011): Hackers began changing user passwords by using PSN account emails and dates of birth within two days of the partial restoration of the PlayStation Network. Sony failed to alter the password reset system to account for hackers having obtained user email addresses and dates of birth. Users who changed their passwords, but not the email associated with their PlayStation Network accounts, were vulnerable to the hacker exploit. Sony shut down the PlayStation Network again and released a short statement about the incident.
UPDATE(5/23/2011): Sony headquarters expects to spend about $171 million on its personal information theft protection program, welcome back programs, customer support, network security enhancements and legal costs associated with the breach.
UPDATE(6/2/2011): Sony fully restored all Playstation Network services in all areas except Japan. The Playstation Store and Qriocity divisions are now functioning properly.
UPDATE (6/4/2011): A concise history of the Sony hacks can be found here. The site also includes some interesting observations.
UPDATE(7/21/2011): Zurich American, one of Sony’s insurers, is suing to deny releasing data breach coverage funds to Sony. Sony expects the breach to lower operating profit by $178 million in the current financial year. A total of 55 class action complaints have been filed.
UPDATE(10/11/2011): Sony Online Entertainment became aware of a large number of unauthorized sign-in attempts. The attempts took place between October 7 and 10. About 93,000 PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment services accounts may have been compromised. The unauthorized parties appear to have verified valid sign-in IDs and passwords after a number of failed attempts. Sony temporarily locked those accounts. It is unclear if the email addresses were obtained from a previous breach.
UPDATE(10/19/2012): A federal judge found that Sony users signed a privacy policy informing them that Sony’s security was not perfect. Sony was cleared of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes. The judge ruled that plaintiffs could not claim that Sony violated consumer-protection laws because PSN services were free of cost. This dismissed much of the lawsuit.
UPDATE(12/16/2013): Sony agreed to drop an insurance claim over litigation related to the 2011 breach.
