Yesterday, Sony said it would answer a list of detailed questions presented by a US Congressional subcommittee looking into the PlayStation Network outage and data leak. Today, the company offered up its answers, which gave a detailed timeline of the data breach and subsequent downtime resulting from the cyberattack. Unfortunately, one of the responses confirmed the worst-case scenario--that all 77 million PlayStation Network and Qriocity service accounts had data stolen from them.
In a letter sent to the subcommittee--which can be viewed in its entirety here--Sony Computer Entertainment America chairman and Sony Corp. executive vice president Kaz Hirai offered a detailed timeline of the aforementioned attack. The saga began at 4:15 p.m. PDT on April 19, when employees of Sony Network Entertainment America, which took over PSN operations in March, noticed that "certain systems were rebooting when they were not scheduled to do so."
The following day, SNEA noticed "evidence that indicated an unauthorized intrusion had occurred and that data of some kind had been transferred off the PlayStation Network servers without authorization." However, SNEA couldn't determine exactly what type of information had been taken, so it then took down the PSN as a precaution.
Also on April 20, Sony called in an external computer forensics firm to look into the incident. To complete the investigation, the firm had to mirror all the servers that had been hacked, which was a time-intensive process. The investigation grew even more complex once the full extent of the attack became clear, causing Sony to enlist a second computer security company to help in the investigation on April 21.
It took until the afternoon of April 22 for the two firms to complete the mirroring of nine of the 10 servers that had been compromised. It then took until the following evening (April 23) for the two companies to confirm that "intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside servers." The intruders deleted log files to cover their tracks, Sony said.
By April 24--Easter Sunday--Sony said it had realized it was dealing with a "sophisticated hacker" and called in a third outside firm to "determine the scope of the data theft." By Monday, April 25, all three teams could confirm the scale of the personal data that had been stolen, but couldn't say definitively whether or not credit card information had been taken as well.
The following day, Sony announced to the public that personal--and possibly credit card data--had been compromised. Hirai's letter then confirmed that "information appears to have been stolen from all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been stolen. The criminal intruders stole personal information from all of the approximately 77 million PlayStation Network and Qriocity accounts."
Of the 77 million, some 12.3 million account holders had credit card information on file, with 5.6 million being in the US. (Those numbers include active and expired credit card accounts.) Luckily, Hirai said that, to date, "the major credit card companies have not reported that they have seen any increase in the number of fraudulent credit card transactions as a result of the attack." Last week, Wells Fargo, American Express, and MasterCard gave a similar account to the press.
The good news is that Hirai said that Sony now believes it has indentified the cause of the breach. However, the company does not want to make the information public out of security concerns. It has, however, taken a variety of steps to beef up security, including moving its servers to a new facility, adding additional firewalls, enhancing data encryption and protection, and increasing automated software monitoring.
When asked if Sony had indentified the individuals behind the attack, Hirai answered with a flat, "No." However, he did say that when Sony Online Entertainment discovered its own data theft this past Sunday, intruders had "planted a file on one of those [compromised] servers named 'Anonymous' with the words 'We are Legion.'" Though it was openly behind attacks on the PSN in early April, the hacker collective known as Anonymous has denied sanctioning the attack that has now kept the PSN down for two weeks. However, the loose nature of the collective, which has no official leaders, means that rogue elements could be behind the intrusion.