Looks Like it Was a Bad Week for Sony. . .

SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & SwitchiBay Area, CaliforniaMod Posts: 5,163 Mod
. . . and it's going to be a bad week for their customers.

For those of us who don't own a Playstation 3 or read Penny-Arcade, the news that Sony's online service, the Playstation Network (PSN) was down over the weekend may have flown under the radar. Apparently, PSN was taken down by Sony after an 'external attack' was detected on Wednesday, April 20th, and the service was still down on Monday, April 25th. Now, nearly a week after this mess began, Sony has informed the world that the intruder(s) may have made off with just about every piece of customer information that the company had stored.

The following is a segment of the notice to customers that Techland posted as part of their blog, a quote from a Sony PR rep:
We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Where this situation now stands is that, for a week, PSN users were told that the service was down and that things were being sorted out. Now, it turns out that customer-data may have been stolen and has been out in the wild for this long, and Sony's only now making this known. PSN and Qriocity are still down, and probably will be another few days, if not another week.

This should be. . . err. . . interesting to see play out, for lack of a better term.

Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials

Let it never be said that I didn't do the very least I could do.
«1

Comments

  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    Oh, another angle to this story is that Portal 2 launched on the 18th. Not only was this one of the most anticipated games of the year, it also features the draw of online co-operative play as one of its main attractions. This means that while PSN users were sitting and waiting to hear that their personal data was out wandering, XBox Live! and Steam has been hopping all weekend long with players taking on the roles of ATLAS and P-Body in co-op play. I'm guessing there's going to be a lot of XBox 360s bought, as well as new Steam accounts signed up for, in the near future. . . if there hasn't been already.

    If there's no other silver lining to all this, it's an opportunity for all of us to see the resulting effects of a security breach on this scale, both in relation to the customers and the financial standing of the company in question. Um. . . hooray for a real-world case-study of a cloud-network security breach? icon_confused.gif

    [Edit]
    There was a longer outage for XBox Live! back in 2008, but that had nothing to do with security, it was due to servers being overloaded. Microsoft saw some fallout from that incident, but I predict Sony's going to get A LOT more heat after all is said and done.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    Slowhand wrote: »
    [Edit] Microsoft saw some fallout from that incident, but I predict Sony's going to get A LOT more heat after all is said and done.

    And I suspect MS are thoroughly running security tests on their system too in the background.

    It used to surprise me when these kinda things happened, but after working for a hosting company for nigh on 10 years and watching online web based apps fail and get breached due to bad overall security design, lack of input validation etc etc even knowing the best, and good practices......

    It will be very interesting to see how this plays out, especially the credit card bit but I'm not worried, I dont have a PS3 and I'm a 360 fan anyway :D
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • aldousaldous Member Posts: 105
    maybe sony will learn a lesson about treating there customers like crap but i doubt it.

    not to start a console war/fanboy fight here but the way sony were with europe (you can wait 7 months for poor translations/more expensive in real terms/limited supply etc) when the ps2 was out just showed there total disregard for the customer and now we see it again.

    its doubly lame for people in the UK as we had a long weekend with two public holidays just after portal 2 was released and PS3 owners can't play at all icon_sad.gif
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    bertieb wrote: »
    And I suspect MS are thoroughly running security tests on their system too in the background.
    Indeed, and I'm sure Nintendo, Valve, Blizzard, and every other game company with network support are doing the same. While they all will have to defend their security practices from here on in, it's Sony that's painted a big target on their backs as the poster-boy(s) of the worst-case scenario for a situation like this and will have to fight an uphill battle to regain trust.

    The hot-button question for a many people just shifted from the generic "is my information safe online?" to "is my information safe with Sony?", and that's going to be a tough black eye to recover from.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • headshotheadshot Member Posts: 77 ■■□□□□□□□□
    Speculation is rife.

    I wonder exactly how the breach occurred. Shows no network is really secure.
  • eansdadeansdad Member Posts: 775 ■■■■□□□□□□
    It was the Iranians in retaliation for the Stuxnet virus...
  • chrisonechrisone Senior Member Member Posts: 2,130 ■■■■■■■■■□
    damn and i am one of those users who had CC info stored with sony. I guess its the price you pay when you get a free service.
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (in-progress)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eLearnSecurity: eWPT (failed 2x, no further attempts), eLearnSecurity: eCIR (complete), eLearnSecurity: eCTHPv2 (report: awaiting results), eLearnSecurity: eCPTXv2 (Late-Nov)
  • jtoastjtoast Member Posts: 226
    Slowhand wrote: »
    Oh, another angle to this story is that Portal 2 launched on the 18th. Not only was this one of the most anticipated games of the year, it also features the draw of online co-operative play as one of its main attractions.[Edit]
    To make this even worse, Sony paid big money to be the only console that allowed portal 2 co-op play with Steam PC users. I came very close to buying the PS3 version of Portal 2 instead of the xbox version for that very reason. I am now very glad I went with the xbox version. Portal 2 is awesome :)
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Is this even the biggest breach? I know in the last couple of weeks there were several one of which was Dell Australia.
  • HypntickHypntick Member Posts: 1,451 ■■■■■■□□□□
    This doesn't really affect my confidence in Sony at all. I still use their product and enjoy the heck out of it. However I have never and will never use it for online gaming. I have not found a single online capable game that isn't on the PC that I care to play on a console. As far as credit card info being stolen, happens all the time to a ton of companies, nothing new.
    WGU BS:IT Completed June 30th 2012.
    WGU MS:ISA Completed October 30th 2013.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    Hypntick wrote: »
    As far as credit card info being stolen, happens all the time to a ton of companies, nothing new.
    This is very true. I think, however, it was the fact that Sony sat on this information for a week before telling their customers that all that data had been stolen is what makes this stand out as particularly bad.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    Maybe I am misreading this. But has there been a single confirmed illicit use of the information? Or is Sony just assuming the worst?
    -Daniel
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I thought disclosing security breaches are not required and plenty of breaches are never revealed.
  • RobertKaucherRobertKaucher Member Posts: 4,298 ■■■■■■■■■■
    Slowhand wrote: »
    I'm guessing there's going to be a lot of XBox 360s bought, as well as new Steam accounts signed up for, in the near future. . . if there hasn't been already.

    Penny Arcade! - Compare And Contrast
  • RobertKaucherRobertKaucher Member Posts: 4,298 ■■■■■■■■■■
    tpatt100 wrote: »
    I thought disclosing security breaches are not required and plenty of breaches are never revealed.
    Security Breach Notification Laws

    State laws may vary:
    Ohio:
    (B)(1) Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. The disclosure described in this division may be made pursuant to any provision of a contract entered into by the person with another person prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this section and does not waive any provision of this section. For purposes of this section, a resident of this state is an individual whose principal mailing address as reflected in the records of the person is in this state.
  • chrisonechrisone Senior Member Member Posts: 2,130 ■■■■■■■■■□
    Slowhand wrote: »
    This is very true. I think, however, it was the fact that Sony sat on this information for a week before telling their customers that all that data had been stolen is what makes this stand out as particularly bad.

    the funny thing is that not only did their service go down and now my CC info is in jeopardy, my PS3 fried on that same day! LOL!

    Sony should give me a free PS3 for my heartaches.... icon_lol.gif
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (in-progress)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eLearnSecurity: eWPT (failed 2x, no further attempts), eLearnSecurity: eCIR (complete), eLearnSecurity: eCTHPv2 (report: awaiting results), eLearnSecurity: eCPTXv2 (Late-Nov)
  • TurgonTurgon Banned Posts: 6,313 ■■■■■■■■■□
    Slowhand wrote: »
    . . . and it's going to be a bad week for their customers.

    For those of us who don't own a Playstation 3 or read Penny-Arcade, the news that Sony's online service, the Playstation Network (PSN) was down over the weekend may have flown under the radar. Apparently, PSN was taken down by Sony after an 'external attack' was detected on Wednesday, April 20th, and the service was still down on Monday, April 25th. Now, nearly a week after this mess began, Sony has informed the world that the intruder(s) may have made off with just about every piece of customer information that the company had stored.

    The following is a segment of the notice to customers that Techland posted as part of their blog, a quote from a Sony PR rep:


    Where this situation now stands is that, for a week, PSN users were told that the service was down and that things were being sorted out. Now, it turns out that customer-data may have been stolen and has been out in the wild for this long, and Sony's only now making this known. PSN and Qriocity are still down, and probably will be another few days, if not another week.

    This should be. . . err. . . interesting to see play out, for lack of a better term.

    I imagine a few CISSP and other security certs will be rapidly removed from walls in cubes in that company.
  • eMeSeMeS Member Posts: 1,875
    tpatt100 wrote: »
    I thought disclosing security breaches are not required and plenty of breaches are never revealed.

    These differ state by state....Mass. and California have the toughest breach laws in place.

    MS
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    15. How will I know if my personal information has been compromised?
    We have provided notices to consumers at the email addresses associated with their PlayStation Network/Qriocity accounts. You may also visit Support - PlayStation.com and Qriocity - Home for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your credit card account statements and to monitor your credit reports.

    If I wasn't emailed this notice, does that mean my data wasn't compromised?
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,298 ■■■■■■■■■■
    Devilsbane wrote: »
    If I wasn't emailed this notice, does that mean my data wasn't compromised?
    It might also mean the attacker has logged in and changed your email so you will not get notified. So you are just SOL.
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    It might also mean the attacker has logged in and changed your email so you will not get notified. So you are just SOL.

    I wonder if they would give me my password since I don't remember which one I used. Seems fair


    Reading the comments on Sony's posting. This one amused me.
    Excuse me while I go change my password.. oh wait. I can’t.
    another notable one
    On that topic.. when you say that our password data may have been accessed, I hope you mean that our hashed, non-reversible password data may have been accessed.. right? You didn’t have our passwords in plaintext on your servers, did you?
    Decide what to be and go be it.
  • jtoastjtoast Member Posts: 226
    Devilsbane wrote: »
    If I wasn't emailed this notice, does that mean my data wasn't compromised?
    No, it means they were slow. I got my email this morning.
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    jtoast wrote: »
    No, it means they were slow. I got my email this morning.

    Yeah, I got mine at like 8:00 last night. Wishful thinking
    Dear Hackers,
     
    I know that you have my address, email, and password. 
    Would you kindly pick one of the addresses and send me 
    my password so that I should know if I need to be worried.
     
    Yours Truly,
    Devilsbane
    
    Decide what to be and go be it.
  • headshotheadshot Member Posts: 77 ■■□□□□□□□□
    Sony internets still down... what an epic fail on their part.

    I'm jonesing to pwn some nooberts on cod. icon_sad.gif
  • AnonymouseAnonymouse Member Posts: 509 ■■■■□□□□□□
    I'm glad I don't store my CC info on my PS3. Sure miss playing some SSF4, BB:CS, and MvC3 online lately though.
  • erpadminerpadmin Member Posts: 4,165
    My email isn't the one used...but my fiancee's dummy account was. When I read jtoast's post, decided to see if I did in fact get the email.....

    I did....got it on April 27...TEN DAYS after the fact....

    I do remove my CC after each and everytime the wifey wants a game. I wasn't so much worried about being hacked, as I was that I didn't want her buying games at-will... icon_cool.gif (If we get into a fight, she'll pull that crap to make herself feel better....lmao....women...)


    She has both the PSP AND the PS3...the PS3 she wanted EA's Active 2. I saw it as an excuse for me to also load up on some COD!


    I do use TrustedID as a monitoring service (I have been a victim of ID theft) and I'm not too worried about my CCs....my CCs are pretty good at recognizing fraudulent behavior (which is why I always let them know that I will be travelling to such-and-such place during such-and-such dates.)

    A little off-topic, but I just got approved for American Express Gold...lol! Yeah, I effing made it! :p


    Wed, April 27, 2011 7:18:01 PM
    Important information regarding PlayStation Network and Qriocity services



    From:PlayStation Network <[email protected]>

    Add to ContactsTo:fiancee's account



    Add [email protected] to your address book

    ===================================

    PlayStation(R)Network

    ===================================

    Valued PlayStation(R)Network/Qriocity Customer:

    We have discovered that between April 17 and April 19, 2011,
    certain PlayStation Network and Qriocity service user account
    information was compromised in connection with an illegal and
    unauthorized intrusion into our network. In response to this
    intrusion, we have:

    1) Temporarily turned off PlayStation Network and Qriocity services;

    2) Engaged an outside, recognized security firm to conduct a full
    and complete investigation into what happened; and

    3) Quickly taken steps to enhance security and strengthen our
    network infrastructure by rebuilding our system to provide you
    with greater protection of your personal information.

    We greatly appreciate your patience, understanding and goodwill
    as we do whatever it takes to resolve these issues as quickly and
    efficiently as practicable.

    Although we are still investigating the details of this incident,
    we believe that an unauthorized person has obtained the following
    information that you provided: name, address (city, state, zip), country,
    email address, birthdate, PlayStation Network/Qriocity password and login,
    and handle/PSN online ID. It is also possible that your profile data,
    including purchase history and billing address (city, state, zip),
    and your PlayStation Network/Qriocity password security answers may
    have been obtained. If you have authorized a sub-account for your
    dependent, the same data with respect to your dependent may have
    been obtained. While there is no evidence at this time that credit
    card data was taken, we cannot rule out the possibility. If you have
    provided your credit card data through PlayStation Network or Qriocity,
    out of an abundance of caution we are advising you that your credit
    card number (excluding security code) and expiration date may have
    been obtained.

    For your security, we encourage you to be especially aware of email,
    telephone and postal mail scams that ask for personal or sensitive
    information. Sony will not contact you in any way, including by email,
    asking for your credit card number, social security number or other
    personally identifiable information. If you are asked for this information,
    you can be confident Sony is not the entity asking. When the PlayStation
    Network and Qriocity services are fully restored, we strongly recommend that
    you log on and change your password. Additionally, if you use your PlayStation
    Network or Qriocity user name or password for other unrelated services or
    accounts, we strongly recommend that you change them as well.

    To protect against possible identity theft or other financial loss, we
    encourage you to remain vigilant, to review your account statements and
    to monitor your credit reports. We are providing the following information
    for those who wish to consider it:
    - U.S. residents are entitled under U.S. law to one free credit report annually
    from each of the three major credit bureaus. To order your free credit report,
    visit www.annualcreditreport.com or call toll-free (877) 322-8228.

    - We have also provided names and contact information for the three major U.S.
    credit bureaus below. At no charge, U.S. residents can have these credit bureaus
    place a "fraud alert" on your file that alerts creditors to take additional steps
    to verify your identity prior to granting credit in your name. This service can
    make it more difficult for someone to get credit in your name. Note, however,
    that because it tells creditors to follow certain procedures to protect you,
    it also may delay your ability to obtain credit while the agency verifies your
    identity. As soon as one credit bureau confirms your fraud alert, the others
    are notified to place fraud alerts on your file. Should you wish to place a
    fraud alert, or should you have any questions regarding your credit report,
    please contact any one of the agencies listed below:

    Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
    Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
    TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
    P.O. Box 6790, Fullerton, CA 92834-6790

    - You may wish to visit the website of the U.S. Federal Trade Commission at
    www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
    Avenue, NW, Washington, DC 20580 for further information about how to protect
    yourself from identity theft. Your state Attorney General may also have advice
    on preventing identity theft, and you should report instances of known or
    suspected identity theft to law enforcement, your State Attorney General,
    and the FTC. For North Carolina residents, the [COLOR= ]Attorney General[/COLOR] can be
    contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
    (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the [COLOR= ]Attorney
    General[/COLOR] can be contacted at [COLOR= ]200 St. Paul Place, 16th Floor, Baltimore, MD 21202[/COLOR];
    telephone: (88icon_cool.gif 743-0023; or www.oag.state.md.us.

    We thank you for your patience as we complete our investigation of this
    incident, and we regret any inconvenience. Our teams are working around the
    clock on this, and services will be restored as soon as possible. Sony takes
    information protection very seriously and will continue to work to ensure that
    additional measures are taken to protect personally identifiable information.
    Providing quality and secure entertainment services to our customers is
    our utmost priority. Please contact us at [COLOR= ]1-800-345-7669[/COLOR] should you have any
    additional questions.

    Sincerely,

    Sony Computer Entertainment and Sony Network Entertainment
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    Here we come approaching a month since the breach happened, and I still know nothing more than what they released a week after it happened. I went to log in today and it looks to be still down.

    I'm not how they are going to ever recover from this.
    Decide what to be and go be it.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Devilsbane wrote: »
    Here we come approaching a month since the breach happened, and I still know nothing more than what they released a week after it happened. I went to log in today and it looks to be still down.

    I'm not how they are going to ever recover from this.

    Wow. I'm not a gamer, but are you paying for this? Are you still being charged?
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • chrisonechrisone Senior Member Member Posts: 2,130 ■■■■■■■■■□
    PSN status:
    playstation_network_down_april_22.jpg
    NETWORK+DOWN.jpg
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (in-progress)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eLearnSecurity: eWPT (failed 2x, no further attempts), eLearnSecurity: eCIR (complete), eLearnSecurity: eCTHPv2 (report: awaiting results), eLearnSecurity: eCPTXv2 (Late-Nov)
  • MentholMooseMentholMoose Senior Member Member Posts: 1,524 ■■■■■■■■□□
    Devilsbane wrote: »
    Here we come approaching a month since the breach happened, and I still know nothing more than what they released a week after it happened. I went to log in today and it looks to be still down.
    Here's some analysis based on the little that's been released:
    https://www.veracode.com/blog/2011/05/possible-playstation-network-attack-vectors/
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
Sign In or Register to comment.