Sony held a press conference yesterday to address the recent break into the PlayStation Network. In the address, Sony’s Kaz Hirai addressed a number of key points to cover a variety of topics.
About the Attack
The attack was not related to Anonymous, although they did bring up the fact that the loose organization of ‘hacktivists’ attacked the the servers in the past few months. The attacks were limited to denial of service attacks.
The recent intrusion was described as “skillful” and passed through the company’s firewalls and other security measures because it appeared as a normal transaction. The attack created a backdoor and had a command attached as a trigger, at which point it was able to be manipulated remotely.
The attack used a known vulnerability, but the vulnerability was not known to Sony’s management. Since the intrusion, security measures have been upgraded against that particular attack mechanism.
It took Sony until 27 April to confirm that data was compromised. The publisher had been working with 3 different analysis organizations beginning from 20 April.
Information of up to 78 million PSN and Qriocity accounts were stolen. At the point of the attack, 37 million PS3s and 16 million PSPs had connected to the PlayStation Network. There were 10 million credit cards connected to PSN during the time of the attack.
Sony will be doing further testing and inspection of its security measures to prevent future security breaches. The company believes that their security is adequate at this time.
Compromised Information
Kaz Hirai says that no improper credit card usage has been reported to the company, and Sony has no evidence of credit card information being compromised.
Credit card information was stored in an encrypted format and stored in a different part of the database from the information that was compromised.
User passwords were not encrypted, but they were hashed.
Investigation
Authorities outside of Japan have contacted Sony and have requested that they cooperate with their investigation. The Federal Bureau of Investigation is currently involved in the investigation. Sony also plans to answer an inquest by the US House of Representatives.
The investigation is described as “global”.
Sony was not fully aware of the extent of the attack until 27 April. The conference was delayed to work out compensation and other considerations for affected PSN users.
Resumption of Services and Compensation
Compensation for PlayStation Network usage and credit card-related compensation are being considered separately. Sony will pay for credit card reissuing and assist with monitoring and insurance programs for customers. Improper charges will be handled on a case by case basis.
Service for the PlayStation Network will be resumed “within a week.” Sony will be bringing services back online incrementally. Different regions may see services return at different times. All services will be resumed within a month.
Every PSN user will receive a free month of PSN+, while current subscribers will receive 30 days of free time. Qriocity subscribers will also receive a free month, and some titles will be available for free download.
Sony will absorb the subscription costs, which are estimated to be $15-20 for each PSN+ account and a few thousand yen for the titles.
Immediate Actions
Sony will be relocating its data center from San Diego to a more secure location and adding additional safeguards, firewalls and encryption to increase the security. The company will be creating new job positions to monitor security. Some of these measures have already been taken, but Sony will not comment specifically out of security considerations.
Sony will provide a way for users to view their purchase history online to check for any abnormalities.
The company will allow its users to leave PSN. Sony is looking into ways to refund any balances on PSN and PSN+ fees. They will create a system to allow users to erase their information if they so desire.
Sony will provide a firmware update as soon as the PSN returns online, and users will be required to change their password. Passwords can only be changed on the PlayStation 3 system the account was created on or through a verified e-mail address. This is to prevent hackers from potentially stealing user accounts.
Sony admits that they were slow to provide updates to PSN users in Japan compared to those in the United States and Europe. They plan to create a blog to serve Japanese customers to provide news updates.
Tablet and NGP launch dates are unaffected by the intrusion.
Kaz Hirai gave a heartfelt apology on behalf of Sony, and says that the company fully intends to earn back the trust of its users and its developers on the PlayStation Network ecosystem.
