Sony answers Congress' questions, details PSN attack

Complete account of PlayStation Network outage offered; info stolen from all 77 million PSN accounts; no fraudulent credit card transactions reported; Anonymous possible culprit.

Yesterday, Sony said it would answer a list of detailed questions presented by a US Congressional subcommittee looking into the PlayStation Network outage and data leak. Today, the company offered up its answers, which gave a detailed timeline of the data breach and subsequent downtime resulting from the cyberattack. Unfortunately, one of the responses confirmed the worst-case scenario--that all 77 million PlayStation Network and Qriocity service accounts had data stolen from them.

Sony has now officially confirmed that all 77 million PSN accounts had data stolen from them.

In a letter sent to the subcommittee--which can be viewed in its entirety here--Sony Computer Entertainment America chairman and Sony Corp. executive vice president Kaz Hirai offered a detailed timeline of the aforementioned attack. The saga began at 4:15 p.m. PDT on April 19, when employees of Sony Network Entertainment America, which took over PSN operations in March, noticed that "certain systems were rebooting when they were not scheduled to do so."

The following day, SNEA noticed "evidence that indicated an unauthorized intrusion had occurred and that data of some kind had been transferred off the PlayStation Network servers without authorization." However, SNEA couldn't determine exactly what type of information had been taken, so it then took down the PSN as a precaution.

Also on April 20, Sony called in an external computer forensics firm to look into the incident. To complete the investigation, the firm had to mirror all the servers that had been hacked, which was a time-intensive process. The investigation grew even more complex once the full extent of the attack became clear, causing Sony to enlist a second computer security company to help in the investigation on April 21.

It took until the afternoon of April 22 for the two firms to complete the mirroring of nine of the 10 servers that had been compromised. It then took until the following evening (April 23) for the two companies to confirm that "intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside servers." The intruders deleted log files to cover their tracks, Sony said.

By April 24--Easter Sunday--Sony said it had realized it was dealing with a "sophisticated hacker" and called in a third outside firm to "determine the scope of the data theft." By Monday, April 25, all three teams could confirm the scale of the personal data that had been stolen, but couldn't say definitively whether or not credit card information had been taken as well.

The following day, Sony announced to the public that personal--and possibly credit card data--had been compromised. Hirai's letter then confirmed that "information appears to have been stolen from all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been stolen. The criminal intruders stole personal information from all of the approximately 77 million PlayStation Network and Qriocity accounts."

Of the 77 million, some 12.3 million account holders had credit card information on file, with 5.6 million being in the US. (Those numbers include active and expired credit card accounts.) Luckily, Hirai said that, to date, "the major credit card companies have not reported that they have seen any increase in the number of fraudulent credit card transactions as a result of the attack." Last week, Wells Fargo, American Express, and MasterCard gave a similar account to the press.

The good news is that Hirai said that Sony now believes it has indentified the cause of the breach. However, the company does not want to make the information public out of security concerns. It has, however, taken a variety of steps to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring.

When asked if Sony had indentified the individuals behind the attack, Hirai answered with a flat, "No." However, he did say that when Sony Online Entertainment discovered its own data theft this past Sunday, intruders had "planted a file on one of those [compromised] servers named 'Anonymous' with the words 'We are Legion.'" Though it was openly behind attacks on the PSN in early April, the hacker collective known as Anonymous has denied sanctioning the attack that has now kept the PSN down for two weeks. However, the loose nature of the collective, which has no official leaders, means that rogue elements could be behind the intrusion.

Written By

Discussion

966 comments
vity606
vity606

well my account is here but i need to get it back i spent 150 please help me

 

Benzo396
Benzo396

I find it funny that everybody is complaining and talking about moving over to Xbox, but nobody is going anywhere. You'll all wait until the PSN is back online.

Zeta_Thompson
Zeta_Thompson

@Vodoo So, by that logic, If Microsoft was hacked and companies and individuals information was released every government in the world would be within in their rights to make an inquiry? If the corner store gets robbed and physical receipts are stolen and put online with credit card info the store is responsible? Somehow I suspect that if Ford or Bear Sterns or any other non government owned company were approached by a foreign government asking for information of the same nature that Congress asked they would be told to bugger off and Congress would protect their right to do so. That is sort of the point of capitalism in many ways. Now I DO question why Sony or any company needs all the data they claim they do. and this is a perfect example of why we should start refusing. As for Sony's liability - well what does their EULA say? If it is like most, it basically says oh well you use this and any other service at your risk. @CaptainHerloc exactly, why are they all worried about a foreign gaming company instead of ensuring the US companies and their own systems are secure against such an intrusion, I mean just think of the scandal if the world were to see the monthly lunch budget for any given senator. I bet it is more than my family's food budget for a month.

chrisopo
chrisopo

I dont think playstation network will return this month. Its taking the P!s5 now nearly 3 weeks at this rate 77 million users will end being 25 million because they're taking to long to "test it"

max_wolfstein
max_wolfstein

These hackers have low self-esteem and are attempting to boost their self-importance by hacking PSN. I look down upon them as mere children.

Vodoo
Vodoo

@Zeta_Thompson... Congress got involved because over 5 million of those stolen accounts were Americans. If these hackers decided to use or sell even 1 million credit card #'s to go shopping it could devestate the extremely fragile economy. Banks not getting millions of dollars lent out on whatever purchases were made could be devastating. The banks just pulled their head above water and that would put them right back under. That's just one possible outcome of what could transpire and why congress got involved. They probably want to have some sort of contingencey plan in place in the worst should happen. And... I'm glad they gave Sony the impression that they're not above the law or persecution and that they will be held accountable for not investing more heavily in protecting peoples' sensitive data.

master_phi
master_phi

Sony did happen to overstate the security of PSN, it was bound to happen sooner or later....tell a hacker that they can't handle it and they'll definitely try to prove you wrong...unless you're the NSA... :P Hopefully it'll be back up as they said-May 31st..

Blulightning
Blulightning

lol... "We are Legion" didn't come from Mass Effect 2. It's an allusion from the Bible. It was actually a demon who had possessed a man said to Jesus "My name is Legion, for we are many." before Jesus exorcised the demon. Also, @FarmFreshDX, you have to understand that server reboots could be caused by system malfunctions. Servers go down occasionally, especially when they are being used as much as Sony probably uses them. As well, the workers at the facility holding the servers mentioned most likely have zero authority to issue an entire shutdown of the PSN. They likely had to contact their bosses, who had to contact their bosses, and etc. until someone could give the 'OK' to shutdown the PSN. Which I'm sure they didn't want to do. With a good connection, all of the data mentioned could be downloaded before this line of bureaucracy could take place. Also, some of you seem to misunderstand 'Anonymous'. They are NOT an organization. They are basically an anarchy of like-minded indviduals. All of them acting independently. Of course, like in any anarchy you'll find groups of people working together to perform a single goal, as well as those completely independent. This is the nature of people known as 'Anonymous'.

kyzee_zul
kyzee_zul

Those hackers ruin our fun and took down our beloved PSN,truly hate them!!

WCK619
WCK619

If Anonymous truely did this, they would release the information freely online for everyone to see. Anonymous is very strongly for free information for all. They don't like secrets.

vegasdan30
vegasdan30

If they could do it to Sony they can do it to almost anyone. They chose Sony because sony dared to prosecute them. We need a way to find and prosecute all of these hackers. As much as people use online, this will be very important for the future.

chrisopo
chrisopo

Playstation network is dead and will never return.

chrisopo
chrisopo

Playstation network is dead and will never return.

Spahettificator
Spahettificator

@FarmFreshDX Maybe they were all popping off to the vending machines for a bit?

FarmFreshDX
FarmFreshDX

I find it shocking that they noticed systems were going off and on and rebooting and did nothing. This isn't Jurassic Park, they weren't debugging the phone lines. Things like that don't happen, and you definitely don't ignore them when they do happen. Sony should certainly be able to tell something's wrong before 77 million pieces of information are taken.

CaptainHerlock
CaptainHerlock

@Zeta_Thompson If they want to do business in the United States, then they have to abide by U.S. law in that respect. However, I understand what you're getting at. All of these well meaning congressmen and women are using this to grandstand a bit, so they look good in front of their constituents. After all this and things like steroids in baseball, and demanding to see President Obama's birth certificate are easier than addressing the economy, unemployment, the national debt, and rising gas prices.

Zeta_Thompson
Zeta_Thompson

What does the US government have to do with a Japanese Company? Seriously, I think congress is out of line. Yes ask Sony to contribute information regarding data security, But I think that was more than a bit high handed of congress. Maybe they should be more concerned about their own security instead of worrying about a gaming company?

lunaticrichard
lunaticrichard

and now anonymous has claimed responsibility in part as to say that some of the group where involved, but they where afraid of the FBI and so stated that they had nothing to do with the attack. how sad is that ????

alex_1889
alex_1889

The only reason these idiots hide behind the name of Anonymous is because it makes them look like they aren't completely alone in their attack. They are. Anonymous as a majority don't endorse this.

GnomeGrown
GnomeGrown

Anyone else catch where "We are Legion" came from? It's in Mass Effect 2. I'm sure that's already been stated here in the comments, but seeing as there is almost 1,000, I didn't feel the need to read through every single one. I guess the Reapers are showing up early.........

Bulzeeb3088
Bulzeeb3088

I'm still waiting to link Portal 2 on my PS3 and PC and wanting to try out AC: Brotherhood Multiplayer.

ppg4all
ppg4all

i have commented on this blog about 100 times and i just wanna say **** you damn as hackers

KrazzyDJ
KrazzyDJ

Maybe the PSN hackers are XBOX fanboys who're trying to bring down the PSN so that XBOX LIVE is the only online service that thrives !!!

james0718
james0718

Wow realy, "anonymous". who ever is hacking the PSN needs to seriously get a life i meen realy how can you benifet from hacking the PSN its just plane stupid.

TheBlackKnight3
TheBlackKnight3

Terrorists are taking revenge on bin Laden's death already!!

voldalin
voldalin

i just wish the government would keep their big fat nose out of it and let Sony handle it.

GSuser10
GSuser10

Well whoever the hacker is, they pretty damn smart to pull off this. This took awhile for he or them to plan it out. But can't they trace the numbers of the computer that hacked or check keystrokes or did they erase that too? But the bottom line is: lets catch who did this and get PSN back online.

zinoalex
zinoalex

Microsoft does have the most to gain from this incident.I'm sude secretly they like this.However them being behind it is all speculative at this point.It is not in thier character to do something of this nature.

TheGreenBlazer
TheGreenBlazer

jets78, I'm sure your mom will be a little bit more upset than you to know that her credit card information has quite possibly fallen into the hands of some sneaky mother f***ers.

TheGreenBlazer
TheGreenBlazer

I blame Microsoft. The bastards could not handle a little friendly competition from their Playstation rivals. God, damn it! You got the Black Ops map packs first, is that not enough?! FFS! On a side note, at least we can rest assured that these hackers are going to be violated in every sense of the word once they find their way to prison.

Elzein1988
Elzein1988

[This message was deleted at the request of a moderator or administrator]

ggregd
ggregd

@real_shengar Sony is responsible for securing your data. Anyone who takes credit cards and has half a brain knows there are bad people out there who want to steal cardholder information, and they have to secure it. They were negligent in their reliance on inadequate security. You don't leave your own wallet sitting out on the window sill, much less someone else's who entrusted it to you.

jets78
jets78

[This message was deleted at the request of a moderator or administrator]

jets78
jets78

[This message was deleted at the request of a moderator or administrator]

jets78
jets78

[This message was deleted at the request of a moderator or administrator]

jets78
jets78

[This message was deleted at the request of a moderator or administrator]

jets78
jets78

[This message was deleted at the request of a moderator or administrator]

real_shengar
real_shengar

You are so damn ignorant beelloo/ Think you can solve a problem like this scaled to your life in two week? They got WHOLE PSN and Qrocity service intrusion. I Don't see sony did anything wrong. They are the one who got breached, they are the one who got robbed. If a bank that you got an account in it got robbed pretty hard, should you really blame them for making your account getting emptied? think people, this is what those hackers want. To hate Sony while we really shouldn't.

beelloo
beelloo

sony is the worst company of all time it been two weeks now and they couldnt solve the problem

guyxeno
guyxeno

@frost192....that would be one of the reasons id get psn+ or xbox live. COD dlc is a damn rip off so i wait till they go on sale. i buy dlc and arcade games all the time so it works out for me especially the end of the year till now has been some crazy sales. i hope sony does something worthwhile for its user base. i say give em at least 40 psn dollars so they can buy whatever content they want as well as some deals.

voldalin
voldalin

My dad called me a few days ago telling me his bank account got wiped clean and the bank isn't doing anything about it except charging him fees. He does all his banking online and uses Norton antivirus. Go figure. Seems hackers are every where. Anyway, i'm hoping Sony can post some good news for us soon.

awheaten
awheaten

@Frosty192 Posted May 5, 2011 6:35 pm PT "@_full_metal_ You are what is called an ignoramus. You're not even worth the ground I piss on." Dyam!!!! Are we getting personal. This is an emotional time, with all of us having withdraw symptoms from having no online play, I understand that XBL account holders are have a field day on us PSN holders. Lets just remember there is more to life than gaming. Me for one: I love my daughter. I'm going to spend more time play LAN vs. w/ her so we can spend the extra time together. I hope that you guys find special someone to hang with while the PSN is down. I don't let the ridiculing get to me. The PSN will be up when Sony's ready. And our data will be secure.

Frosty192
Frosty192

[This message was deleted at the request of a moderator or administrator]

Frosty192
Frosty192

[This message was deleted at the request of the original poster]

Frosty192
Frosty192

@guyxeno Haha yeah pretty much everything else is down. I do see sales on psn mostly for psn + but I hardly buy dlc unless it isn't a rip off like all COD dlc is (on disk dlc is bs). Everyone enjoys whatever service they prefer. I prefer psn because well duh it is free and everyone likes free crap am I right? I usually play PC more anyways but I feel bad for everyone else who only has a ps3.