in Uncategorized

Sony Playstation Network Compromised in Unprecedented Security Breach

Today, my thoughts of “Man, I wish I could play Portal 2 on my Playstation 3″ quickly turned to “Oh crap, now I gotta change my passwords again.”

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

To paraphrase gaming guru Garnett Lee, “Holy crap, an absolute worst-case scenario security breach and it takes Sony almost a week to own up to it.”

For consumers, the fact that Sony waited this long to inform users that their credit cards might have been compromised is an unconscionable delay. That said, from a corporate standpoint, I understand why they did it. This is not a situation where you can afford a “false positive.” Announcing that people’s accounts have been compromised before understanding the nature of the breach creates unnecessary panic and instantly destroys credibility. There were very few pitfalls for Sony, as a company, to wait and figure things out (Their credibility was already going to be in tatters after this. Waiting a few days longer didn’t change that too much, except to make the tatters more fine and decrepit looking).

My guess is, they knew immediately that data had been compromised, but they didn’t know how much of it or in what manner (it sounds like they are still figuring that part out). If the scope of the intrusion was limited, they could have made a determination, made a brief announcement and tried to deal with the limited number of people that were affected. But it turned out not to be limited, and now millions of people are pretty pissed about it.

Lots of questions still remain. How did this intrusion take place? Who was responsible? Did one single individual or party really get access to dozens of millions of credit card numbers? Who was affected? And so forth. Whatever the case, this news is huge, and will shape people’s perception of the Sony brand and the Playstation Network for years to come.

  • Most People where Speculating it was retaliation over the whole George Holtz lawsuit, by the hack group Anon. This seems to refute that notion:

  • @buggzero Most people are speculating that it was hackers acting in retaliation over the whole George Holtz thing, not necessarily Anonymous.

    And since there is no central leadership in Anonymous, a statement on anonnews of "We didn't do it" only means "I, the guy making this graphic, nor any other people I know in Anoymous, did this".

    I'm annoyed that most of the criticism over the PSN outage by various blogs/sites has been directed at Sony, as if they are supposed to be impenetrable from hacking. In theory, everything can be hacked. Put the blame where it lies, with the hackers. If a criminal robs a store, you don't blame the owner for not having enough armed security guards stationed throughout the store.

  • Edit to my previous post: If it's true that all this user info was stored as plaintext (not encrypted) then by all means throw some hate Sony's way.

  • @Toefer – Agreed, its unreasonable to assume that any company is infallible. But Sony did piss of a lot of people with that stunt, it was natural to assume that it was a progression of what was started.

    That being said, it feels like this is happening quite often. But this is not as bad as half a dozen retailers and such saying your email has be leaked to spammers. And very true, if our purchase and contact info was left in the clear. You're right, then are then fully deserving on the heat.