In April, Sony discovered that hackers had attacked the company's data center in San Diego and gained unauthorized access to its PlayStation Network (PSN) servers to steal customer data. Personal information was stolen from 77 million PSN and Qriocity user accounts and from 24.5 million Sony Online Entertainment user accounts.
More compliance FAQs?
Get caught up on regulations and more with our
After the breach, Sony was criticized for waiting a week to notify customers that their personal information might have been compromised. Consumers and regulators from all over the globe have called for more transparency from companies when a breach occurs; and even Sony representatives have said that more stringent guidelines for storing personal information could be needed.
- What was the Sony PlayStation Network security breach?
- What was stolen in the Sony PlayStation Network security breach?
- How was the Sony PlayStation Network security breach accomplished?
- What was the cost of the breach to Sony?
- What is the breach's potential effect on regulations?
Sony detected strange activity in its network system April 19, and the next day discovered that someone had gained unauthorized access to its PSN servers and had stolen customer data. The company's data center in San Diego had been attacked, as well as its Qriocity music service and Sony Online Entertainment networks.
Sony shut down the affected systems April 20 and didn't begin restoring PSN service to users in the U.S. until May 14. Even as users were encouraged to access the PSN and Qriocity sites to reset their passwords in mid-May, hackers found a URL exploit and Sony had to take the page down temporarily.
The PSN and Sony Online Entertainment breaches were just two in a series of attacks on the company's online services in the same time period. In May, attacks were carried out against Sony BMG Japan, Sony BMG Greece, the So-Net ISP in Japan, a Sony server in Thailand, and the Canadian version of the Official Sony Ericsson eShop.
Learn more about Sony's expanding the scope of its massive data security breach.
Personal information was stolen from 77 million PSN and Qriocity user accounts and from 24.5 million Sony Online Entertainment user accounts. The attackers rummaged through a wealth of information about users, including names, addresses, email addresses, birth dates, password and login data, and online IDs, Kazuo Hirai, the chairman of the board of Sony Computer Entertainment America LLC, told U.S. lawmakers in a May 3 letter.
Because of the sophistication of the attack, it took Sony and its hired forensic consultants several days to confirm the extent of the data stolen, Hirai said. More than a month after the April 20 discovery of stolen customer data, it remained unclear whether credit card information had been taken. Credit card data was encrypted, although other personal information was not, the company said.
Learn more about the Sony announcement about restoring service and enhancing customer data protection.
Sony noticed April 19 that several of its PSN servers were rebooting, even though the process was not scheduled. The next day, Sony identified an unauthorized intrusion, and realized that data had been stolen from the servers. It turned out that criminals had gained illegal access to the servers at about the same time the servers were being hit with denial-of-service (DoS) attacks.
The attackers exploited a software flaw, and used aggressive techniques to gain network access and increase their network privileges. They also used sophisticated techniques to hide from system administrators, including deleting log files as they went along. Sony's security team was busy dealing with the DoS attacks, so they didn't detect the intrusion right away.
The PSN security breach was carried out by experienced cyberattackers, Hirai told U.S. lawmakers in the May 3 letter. "Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes," he said.
Sony suggested that the hacker activist group known as Anonymous was behind the PSN attack, but the group denied it. Several weeks earlier, Anonymous had taken credit for attacks on other Sony websites in retaliation for a lawsuit the company had brought against another hacker.
Learn more about how data breaches show enterprises need better data security management.
Shutting systems down after the threats were detected came at a "substantial cost" to the company, according to Hirai. Sony offered customers free service for the number of days the system was down, plus an additional free month. The company also provided U.S. customers free identity-theft protection services.. When the expenses of customer support, network upgrades, legal fees and more were combined, the breach had cost the company more than $171 million by the end of May, the company said.
Learn more about what one study says about the increasing cost of data breaches.
Sony came under heated criticism for the way it went about disclosing information about the PSN breach. The company did not begin notifying customers that their personal information had been stolen until April 26, for example, a full week after it had detected unauthorized activity on the network.
The massive breach of personal information spurred a frenzy of outrage among U.S. lawmakers, with several redoubling their efforts to enact stricter data protections and breach notification laws. Company officials were called to Capitol Hill to testify before the House Commerce, Manufacturing and Trade subcommittee May 4, but they declined the invitation. Subcommittee Chairman Mary Bono Mack (R-Calif.) expressed particular dismay that Sony chose to reveal the breach first via a post on the PlayStation blog, and called Sony's actions a "half-hearted, half-baked" response.
Sony itself told lawmakers that tougher guidelines for storing personal information could be needed.
U.S. lawmakers are not the only officials concerned about the data breach. Regulators in a number of states, and privacy officials in other countries have raised questions about the security of Sony's networks and demanded answers from the company. Connecticut Attorney General George Jepsen joined the refrain in saying he was troubled that users were not promptly notified.
Learn more about how recent data breaches redefine failure and demand new approaches.
Let us know what you think about this FAQ; email firstname.lastname@example.org.
This was first published in June 2011