UPDATE: It appears that I left the most relevant number of PSN attack-related credit card casualties out of the original post. Edited to reflect that.
What initially appeared to be a relatively minor downtime affecting Sony's Playstation Network has evolved into possibly the most devastating non-governmental network intrusion in history.
Backstory time! On April 20, Sony took down access to the Playstation Network, leaving their Playstation 3 and PSP devices without access to the PSN's suite of online gaming services. No chat, no digital distro, no online gaming. (This is especially bad for the now-defunct PSP Go, which is exclusively a download-based product. Thankfully, only half a dozen people bought PSP Gos.)
FULLY ONE WEEK LATER, Sony finally decided to let its customers know the scope of the problem:
Sony's worldwide PSN userbase is estimated to be in the 70+ million range.
Since then, various (currently former, I guess) PSN users have reported via various forums and websites what could possibly amount in aggregate to an upswing in occurrences of identity theft, but it's kinda hard to tell - a 70-million strong pool of potential victims leaves a lot of wiggle room when you're talking about expected "ambient" numbers of identity theft.
More than a week after the initial shutdown, Sony held a press conference in which they gave a few new details about the attack, offered solutions that should have been in place years ago (Sony seriously is just now realizing the need for a Chief Security Officer?) and outlined what will inevitably be an inadequate goodwill gesture to affected customers that will in all likelihood and up being a stealth attempt to monetize the attack by offering users one month (auto-renewing, credit card required) of a paid premium service.
Additionally, Sony admitted that up to ten million PSN user credit card accounts were possibly compromised during the attack.
Sony's estimates place ETA for restoration of PSN functionality at somewhere between the end of this week to the end of this month.
Now, all of that would be bad enough, but just today Sony Online Entertainment - Sony's MMO arm, once thought free of intrusion - took all its services offline without warning. Why? You guessed it:
This brings the total number of accounts compromised to over 100 million, including nearly 25,000 known (and/or admitted) credit or debit account numbers lost to intruders.
Sony's level of incompetence in recognizing and preventing major intrusions to their sensitive customer information is staggering enough (the repeated use of the phrase "known vulnerabilities" in various reports should be enough of a red flag by itself), but for them to A) recognize a major intrusion three days after the fact, then B) wait another week to admit that customer data was compromised, then C) a day later state that a separate Sony network was unaffected only to D) take that second network down and recant the previous statement another five days after that?
Long story short, this Penny Arcade strip (or this one, if you're of the old school) ain't even the half of it.
What initially appeared to be a relatively minor downtime affecting Sony's Playstation Network has evolved into possibly the most devastating non-governmental network intrusion in history.
Backstory time! On April 20, Sony took down access to the Playstation Network, leaving their Playstation 3 and PSP devices without access to the PSN's suite of online gaming services. No chat, no digital distro, no online gaming. (This is especially bad for the now-defunct PSP Go, which is exclusively a download-based product. Thankfully, only half a dozen people bought PSP Gos.)
FULLY ONE WEEK LATER, Sony finally decided to let its customers know the scope of the problem:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Sony's worldwide PSN userbase is estimated to be in the 70+ million range.
Since then, various (currently former, I guess) PSN users have reported via various forums and websites what could possibly amount in aggregate to an upswing in occurrences of identity theft, but it's kinda hard to tell - a 70-million strong pool of potential victims leaves a lot of wiggle room when you're talking about expected "ambient" numbers of identity theft.
More than a week after the initial shutdown, Sony held a press conference in which they gave a few new details about the attack, offered solutions that should have been in place years ago (Sony seriously is just now realizing the need for a Chief Security Officer?) and outlined what will inevitably be an inadequate goodwill gesture to affected customers that will in all likelihood and up being a stealth attempt to monetize the attack by offering users one month (auto-renewing, credit card required) of a paid premium service.
Additionally, Sony admitted that up to ten million PSN user credit card accounts were possibly compromised during the attack.
Sony's estimates place ETA for restoration of PSN functionality at somewhere between the end of this week to the end of this month.
Now, all of that would be bad enough, but just today Sony Online Entertainment - Sony's MMO arm, once thought free of intrusion - took all its services offline without warning. Why? You guessed it:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.
This brings the total number of accounts compromised to over 100 million, including nearly 25,000 known (and/or admitted) credit or debit account numbers lost to intruders.
Sony's level of incompetence in recognizing and preventing major intrusions to their sensitive customer information is staggering enough (the repeated use of the phrase "known vulnerabilities" in various reports should be enough of a red flag by itself), but for them to A) recognize a major intrusion three days after the fact, then B) wait another week to admit that customer data was compromised, then C) a day later state that a separate Sony network was unaffected only to D) take that second network down and recant the previous statement another five days after that?
Long story short, this Penny Arcade strip (or this one, if you're of the old school) ain't even the half of it.
Comments » 0
Be the first to post a comment!
Share your thoughts
Comments are the sole responsibility of the person posting them. You agree not to post comments that are off topic, defamatory, obscene, abusive, threatening or an invasion of privacy. Violators may be banned. Click here for our full user agreement.