News: PSN Hacked - Who is to Blame?
Unless you have been living under a rock for the past week you will have been aware that the PlayStation Network has been down (under maintenance). More information has finally been released by Sony, although its not the whole story - yet.
If you haven't received your email from Sony yet, or seen the message on another site or blog, here is a copy of the message sent out to all UK members:
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain
PlayStation Network and Qriocity service user account information was
compromised in connection with an illegal and unauthorized intrusion
into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance
security and strengthen our network infrastructure by re-building our
system to provide you with greater protection of your personal
We greatly appreciate your patience,
understanding and goodwill as we do whatever it takes to resolve these
issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we
believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state/province, zip
or postal code), country, email address, birthdate, PlayStation
Network/Qriocity password and login, and handle/PSN online ID. It is
also possible that your profile data, including purchase history and
billing address (city, state, zip), and your PlayStation
Network/Qriocity password security answers may have been obtained. If
you have authorized a sub-account for your dependent, the same data
with respect to your dependent may have been obtained. While there is
no evidence that credit card data was taken at this time, we cannot
rule out the possibility. If you have provided your credit card data
through PlayStation Network or Qriocity, to be on the safe side we are
advising you that your credit card number (excluding security code) and
expiration date may have been obtained.
For your security, we encourage you to be especially aware of
email, telephone, and postal mail scams that ask for personal or
sensitive information. Sony will not contact you in any way, including
by email, asking for your credit card number, social security, tax
identification or similar number or other personally identifiable
information. If you are asked for this information, you can be
confident Sony is not the entity asking. When the PlayStation Network
services are fully restored, we strongly recommend that you log on and
change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services
or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss,
we encourage you to remain vigilant to review your account statements
and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of
this incident, and we regret any inconvenience. Our teams are working
around the clock on this, and services will be restored as soon as
possible. Sony takes information protection very seriously and will
continue to work to ensure that additional measures are taken to
protect personally identifiable information. Providing quality and
secure entertainment services to our customers is our utmost priority.
Please contact us at www.eu.playstation.com/psnoutage
should you have any additional questions.
Sony Network Entertainment and Sony Computer Entertainment Teams
Sony Network Entertainment Europe Limited (formerly known as
PlayStation Network Europe Limited) is a subsidiary of Sony Computer
Entertainment Europe Limited the data controller for PlayStation
Network/Qriocity personal data
In short, some attacker(s) found a vulnerability in the PSN network and managed to access a lot of personal details from potentially every PSN and Qriocity account in the world - 75 million of them in around 60 countries. This is bad. Currently they can't say whether credit card data was also available to them as they have not yet found any evidence it was, and I hope to goodness it wasn't. Why can't they say yet? Well, as someone who has dealt with network forensics a little in my time I can say it is incredibly time consuming to piece together all the information and build a picture of what happened after an event like this. Even on a relatively small system the logs created can be huge and stored across several systems, so I can't even imagine the size of the PSN logs. Hackers usually try to cover their tracks too by altering logs or filling them with bogus or irrelevant information to hide their real activity, making it much harder to see what they did. 'Freezing' the PSN system as soon as they detected the problem would have been a good idea.
There are plenty of people complaining about the data protection breach in online forums and blogs so I won't moan about it here, but I can say that it certainly isn't the first time this kind of thing has happened to an online store and definitely won't be the last. News reports just in the last month or so include...
- A few days ago, Rogelio Hackkett Jr. from Georgia USA pleaded guilty to using SQL vulnerabilities (database hacks) to obtain over 676,000 credit card numbers from different online companies. Worryingly, half of those were from one online ticket sales company which may not have even informed their customers of the breach! Credit card companies have traced more than $36 million in fraudulent transactions to those accounts.
- A couple of weeks ago several servers at WordPress (the blogging people) were hacked wide open potentially revealing account details of the 18 million publishers who use WordPress.
- In February a hacker got into a Nintendo 3DS promotional site and grabbed personal info (including email addresses) of thousands of Nintendo members. After failing to blackmail Nintendo they posted some of the details online and promptly got arrested by Spanish police.
- Also in February Yevgeny Anikin of Russia pleaded guilty to stealing $10 million from former Royal Bank of Scotland (RBS) company WorldPay back in 2008 by hacking into accounts there.
- In January the user details (possibly including PayPal account info - depending upon whose report you read) of 28 million members of the dating site PlentyOfFish were open to hackers. Passwords were apparently stored in plain text.
- The cosmetic group Lush were hacked and customer info including credit card details were stolen for orders between October 2010 and January 2011.
- In October 2010, Lin Mun Poo of Malaysia was arrested at JFK airport with a laptop containing 400,000 credit card, debit card and bank account details he had obtained after hacking into systems belonging to financial institutions, international banks, defence contractors, major corporations and FedComp (who look after several Federal Credit Union organisations). He traded and sold the information he obtained.
- Not long ago Epsilon who manage email campaigns for around 2500 world-wide companies such as Dell, Barclays Bank, BestBuy, CitiBank, Marks & Spencer, Ritz Carlton, Target, TiVo and Verizon had their data stolen. It didn't contain credit card or bank info but it did contain customer info and email addresses which could be used for huge scale phishing attacks. Epsilon send out 40 billion emails a year on behalf of their clients so you can imagine how many peoples details they hold.
- In December 2009 an SQL injection attack took place against the social network application maker RockYou.com in which 32 million login details were stolen, including those for users of Facebook and MySpace. Sadly (or stupidly) they apparently stored this information in plain text, i.e. unencrypted!
- According to the recently released Verizon/US Secret Service 2011 data breach investigations report, 50% of data breaches reported last year were from systems being hacked. 17% of data breaches were the result of privilege misuse (i.e. an insider accessing the data). 49% of data breaches involved malware (which is worrying!).
- And many more...
So who is to blame in the Sony case? Some are pointing the finger at Sony for having a vulnerable system. Without knowing how the hackers got in it is difficult to say. If Sony were lapse then they should take responsibility and perhaps offer compensation, but it may well be a third party system which was to blame (e.g. an SQL or Web server vulnerability) of which they were unaware. Of course it could be that the recent PS3 hacking information posted online was a key factor in people finding an exploit to the PSN network. This is why I get wound up when some online users complain that the system should be open and anyone should be able to hack it as much as they want. This would be yet another reason why that is a bad idea. Whatever blame you may put on Sony, nobody can deny that the thieving scum that broke into the system to steal the personal information of innocent gamers is definitely at fault. It's not even smart people most of the time who disrupt or break online systems. It is 'script kiddies' who download software written by someone else, without the knowledge or interest or brain capacity to know how it works but simply that it will cause annoyance to innocent users. And they think that bragging about it online gains respect or makes them look clever. No. Rant over.What ever happens this has done serious damage to the reputation of PSN and will no doubt see a decline in online purchases. We may see an increase in voucher cards being bought from high street shops (rather than risk using credit cards again) but I still feel there will be a drop in overall online purchases via PSN, which is a terrible shame for publishers.