Sony clarifies when it knew of data theft

Sony has issued a statement regarding the gap between when it pulled the plug on the PlayStation Network and when it alerted users of the data theft, claiming that experts didn't know the scope of the breach until Monday.

39

Sony has issued a statement regarding the gap between when it pulled the plug on the PlayStation Network and when it alerted users of the potential data theft. Corporate communications director Patrick Seybold clarifies what the company knew and when, claiming that the investigation didn't yield concrete results until Monday:

There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday [Monday] to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon [Tuesday].

It does seem likely that Sony suspected user data theft was a possibility when it pulled the plug last Wednesday, and gamers can draw their own conclusions on whether knowledge of the possibility should have had Sony alerting users earlier. Even given the statement, the company apparently confirmed the data theft on Monday but announced it on Tuesday. Still, Seybold denies that the company sat on the knowledge for a full week.

In a rare spot of good news, Sony's MMO-centric division Sony Online Entertainment has confirmed that it was not a victim of the attack, as its systems and databases are separate.

"We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons," SOE director of global community relations Linda Carlson explained.

Sony has also set up a FAQ page regarding the incident. It declines to comment on the frequency of attacks on the PSN or its security measures, and reminds users to be vigilant with common sense identity theft prevention steps. Be wary of e-mails or telephone calls asking for personal information, and if you provided PSN with a credit card, watch your credit statements carefully for signs of fraud.

Sony is expected to resume some PlayStation Network services within a week, and will be promoting games that were meant to come out in the interim. Meanwhile analysts point out that while the financial impact is hard to predict, the company has been hit by a serious issue of consumer trust.

Editor-In-Chief
From The Chatty
  • reply
    April 27, 2011 12:00 PM

    Steve Watts posted a new article, Sony clarifies when it knew of data theft.

    Sony has issued a statement regarding the time disparity between shutting down the PlayStation Network and alerting users of the data theft, claiming that experts didn't know the scope of the breach until Monday.

    • reply
      April 27, 2011 12:27 PM

      This is why its hard for me to understand why people are so mad about the info they got yesterday, yes it would have been nice to be able to get the info sooner, but SONY didn't know either.

      Would we rather have them potentially of cried wolf?

      If you hear of a information network getting hacked you should automatically think that its possible that your info was stolen, not wait for a company to confirm it, then get all up in arms when they finally do.

      You people make it seem like Sony has been the first company to get hacked and had customers information stolen.

      • reply
        April 27, 2011 12:34 PM

        you people

        • reply
          April 27, 2011 12:40 PM

          sorry, yes it was a bit generic, but if you look at the other posts about the whole PSN fiasco (in particular the reveal of the stolen info) you would see who im talking to.

      • reply
        April 27, 2011 12:36 PM

        They knew something bad happened when they took the shit down or they wouldn't have taken the whole system down.

        • reply
          April 27, 2011 12:42 PM

          But they didn't know to what extent, they couldn't have known to what extent right away. If I recall correctly in one of the first reports Sony had stated that there was a possibility that info might have been stolen, then later it was confirmed.

          • reply
            April 27, 2011 1:37 PM

            How many ounces of kool aid does the sony defense force mug hold?

      • reply
        April 27, 2011 12:44 PM

        It's probably the way they worded their announcement.

        • reply
          April 27, 2011 12:47 PM

          Eh, could be, good PR people can be so hard to come by.

          • reply
            April 27, 2011 1:50 PM

            And it's been proven time and time again that Sony's PR is some of the best in the business!

      • reply
        April 27, 2011 12:49 PM

        id rather them crywolf then try to piece themselves back together. its unacceptable they waited as long as they did. identity theft is a serious issue.

        • reply
          April 27, 2011 12:52 PM

          did you read their press release?

          • reply
            April 27, 2011 3:02 PM

            yes, but if you are willing to shut down a network and have to have experts to come in to tell you what's wrong with "your network", then thats a code red in my book.

      • reply
        April 27, 2011 1:41 PM

        [deleted]

      • reply
        April 27, 2011 7:31 PM

        I think the hate begins with the PSN itself, before the breaches - their brand was already damaged. The breach just the cherry on top of the shit cake that is the PSN.

    • reply
      April 27, 2011 12:42 PM

      I wonder if they will clarify "experts". did they have their own, or did they need to wait for outside experts?

      • Ebu legacy 10 years legacy 20 years
        reply
        April 27, 2011 12:45 PM

        They have clarified that. They did bring in outside experts.

        I'm sure, though, that their people were involved as well.

        • reply
          April 27, 2011 1:31 PM

          ahhh, that makes sense. this is quite the clusterfuck, I'm sure they want verifiable outside analysis as well.

    • reply
      April 27, 2011 12:53 PM

      Why would someone hack the PSN? I would go for xbox live, not to steal anything but just to show them I could. I'm pretty sure xbox live has more security, but why go for something that's weaker/smaller?

      I only know how to hack routers, so if xbox live does get hacked don't look at me.

      • reply
        April 27, 2011 1:02 PM

        Actually, just by posting that comment on the web your IP has been backtraced and the proper authorities notified.

      • reply
        April 27, 2011 1:35 PM

        if they were just after CC info in the first place, and not fame, then it makes sense to go for the easiest target.

    • reply
      April 27, 2011 1:06 PM

      I'm sure the engineers who built and maintain PSN were delighted that external 'forensics experts' had to be brought in to investigate their own system logs.

      From an engineer's perspective, if a serious network intrusion has been detected (and you know the means by which it occurred) then you will immediately know if sensitive information could have been compromised through that means, encrypted or not. It isn't rocket science - it's knowing how your damn system works.

      In my opinion, Sony crossed their fingers and sat on this information for a week. They hoped they could avoid the PR shit-storm by proving that customer information WAS NOT leaked instead of providing a early heads up on the possibility that it was. Given how credit card information was also at risk, this was an extraordinarily immoral thing to do.

      • reply
        April 27, 2011 1:23 PM

        There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised.

        this is similar to saying there was a time lapse between noticing your door has been kicked down, versus when you realized if anything had been stolen. when the "goods" are virtual this can be complicated

        • reply
          April 27, 2011 1:38 PM

          If my door has been kicked down, I'm going to suspect that someone has been in my house and that my possessions are gone. If might take a while to confirm but that part is irrelevant. The suspicion alone was reason enough for Sony to alert its users.

          • reply
            April 27, 2011 1:48 PM

            that's exactly what they did.

            • reply
              April 27, 2011 1:54 PM

              [deleted]

            • reply
              April 27, 2011 2:14 PM

              I don't think you are understanding what I'm getting at here. Sony knew about this possibility a week ago - it's why they've spent all this time 'rebuilding PSN', bringing in data forensics agencies, etc. Why do you think they were right to hold such information back from the people it could affect the most?

              • reply
                April 27, 2011 10:47 PM

                People are idiots. It wouldn't have made any difference if Sony had come out sooner with any more info than they did. These threads are proving how reactionary, paranoid and filled with indignant outrage the average user is. I'm not surprised they didn't come out with a thousand possibilities of what the breach could have meant, there's a shit storm either way and my only annoyance would be if they didn't immediately alert relevant authorities of the deeper potential implications.

    • reply
      April 27, 2011 1:21 PM

      Not sure if this has been mentioned in the other threads or not but surprise surprise, Sony has been dealt a class action lawsuit for their handling of this situation. http://uk.ps3.ign.com/articles/116/1164392p1.html

      Talking of which, it's been over a day and I still don't have any email notification from Sony.

    • reply
      April 27, 2011 2:14 PM

      No matter how you look at this situation it's obvious that Sony screwed up. They should have notified us immediately that our information MAY have been compromised. Even if you don't believe that they should have, ask yourself why they didn't tell us Monday when they claim they found out? Why did they wait a day?

      There was a great comment on a Kotaku yesterday about how Sony is bound by certain laws as a vendor who accepts credit cards. One of the requirements is that our information be encrypted. Sony did NOT encrypt our info.

      If Anonymous really is behind this attack then they did an incredible job of screwing Sony over. Look at all the Sony rage going on right now. Whomever orchestrated this attack did more damage than I think they even realize.

      • reply
        April 27, 2011 2:30 PM

        We don't know if the information was encrypted or not. Worryingly, that much hasn't been disclosed yet, nor have they explained why they actually store credit card information (it should be held by the payment processor, not the vendor).

        • reply
          April 27, 2011 3:07 PM

          if these guys were good enough to hack network and cause Sony to shut it down its safe to assume that they are or could be smart enough to crack what ever encryption may have been used or all lets steal the encrypted data and crack it a later data.

          What REALLY needs to be looked at is not this finger pointing and blame game(cause its all childish and well just plan pointless) in this crime cause will that's what it is. What we to look at is the fallout of what has been called and is the biggest breach of security in the history. This is going to have ripple effects across not just the game industry but others as well. I am welling to take a good guess that most large companies go to the same firms for security.

          So don't companies like Apple with Itunes, Amazon, Blizzard potentially have this information stored
          ? I can sign into both and one of my old numbers for an inactive card is still sitting there when i go through the payment process.

          • reply
            April 27, 2011 3:36 PM

            Well yes, there's always the possibility that whoever accessed the data was also able to grab the algorithm & key(s) used to encrypt it.

            My understanding is that Amazon and other companies only store several digits of your card number (typically the last four) along with the card name, expiration date, etc. Presumably when a user first enters their card details into the site, all of those details are sent to the payment processor company for storage at their end. When a user then makes a purchase on Amazon, the card details that Amazon actually have (name, last four digits, etc) are hashed together and sent on to the payment processor to verify and create the transaction.

            I could be wrong on this. Personally I've only dealt with single-blast payment processors where the details aren't stored at all. Nevertheless, if I'm right then this is the approach Sony should have been taking also, i.e. they shouldn't have the facility to leak important credit card information.

            • reply
              April 27, 2011 4:16 PM

              Okay well I have use a CC before on PSN and they do it same way as Amazon with last 4 digits stored the rest X'd out. Right know we don't know if CC information has been taken, from the way you explained the process that is the same PSN stored my number when I add funds to my wallet. Last 4 Digits the rest X'd(Don't worry I have taken the steps needed to CYOA on Sat) . So i would a be good educated guess that Sony used the same process as Amazon.

              Now once in the systems could they have traced this back to the Payment processor(which is guess is used by multiple companies). So right now the reason that information is slow fourth coming is that this is a crime scene. So every and anything is evidence. Having a friend that was victim of a crime recently when it comes the law enforcement there is very little that can to talked about once the investigation has started.

              • reply
                April 27, 2011 10:36 PM

                You appear to be a product of the CSI generation. Your analytical skills are astounding.

            • reply
              April 27, 2011 4:46 PM

              http://online.wsj.com/article/SB10001424052748703778104576287362503776534.html?mod=WSJ_Tech_LEFTTopNews


              So JP Morgan and Chase go hit too....but both FBI and Sony are "declining" to say if they working to together. Which of another way of say " I can neither Confirm nor Deny this"

              I do reckon there is a an investigation going on here good sirs..

          • reply
            April 27, 2011 4:19 PM

            "cracking" encryption isn't practical unless they've done something really stupid when encrypting (like, for instance, what they did with the PS3).

    • reply
      April 27, 2011 2:47 PM

      Wtf is wrong with everyone and this hate toward Sony.. I guess Anon was in the right telling the WORLD of hackers to attack them right? And for what? the punk Geo and OS on the ps3 to allow pirated games... What does Sony have to gain by lying to everyone? They have the FBI there with them now supporting them, I highly doubt they would want to get caught doing that... If the punks who started this mess isn't caught then shit has to change on the web. It's one thing to be free and Anonymous and it's another to use that to cause damage and harm to others....

      • reply
        April 27, 2011 3:00 PM

        Um ok.

      • reply
        April 27, 2011 3:26 PM

        wut?

      • reply
        April 27, 2011 3:53 PM

        Are we not allowed to hate on sony for being bitches with our personal info, which the promised to protect?

      • reply
        April 27, 2011 4:00 PM

        the WORLD of hackers... punk geo.... really makes u think....

      • reply
        April 27, 2011 4:22 PM

        It's not some 'punks' who did this. This was a professional cracking crew intentionally out to grab user information and sell it. The FBI will have an announcement about this week (according to the WSJ).

        • reply
          April 27, 2011 4:33 PM

          Oh well that about puts the rest for me, Crime scene, FBI, yeah this WAY Beyond "bad encryption" thing that internet seems to exploding about.

          • reply
            April 27, 2011 4:54 PM

            both can be true btw

            • reply
              April 27, 2011 5:20 PM

              trust me on this and its not that I don't agree with but no security, no matter how strong is break in proof. From Reading that Article on the WSJ there have been other High profile Companies like JP Morgan and Chase. Now reason why that's not all over news is because JP Morgan and Chase does not have a online service that affects 70 million users. Whats scary is the JP Morgan and Chase has a lot more and far more sensitive material then Sony being that it is a bank.

              This incident and others in resent months has put Hacking, cyber theft and information theft in the lime light. Its safe say neither Law Enforcement or these large companies are really prepared... nor are we the consumer.

              • reply
                April 27, 2011 6:10 PM

                I tried reading your post but kept wondering why you capitalise random words.

                • reply
                  April 27, 2011 6:43 PM

                  fast finger... summary: Sony's not the only company this has happened to in months, JP Morgan and Chase a major bank had security breach as well. Law enforcement and large companies nor the consumer are really ready for increase in cyber theft etc....

      • reply
        April 27, 2011 4:27 PM

        Man you take attacks against Sony to personal. Sony is not alive nor does it have feelings, plus a company that takes in Billions of dollars a year does not need TotalRecall to fight its battles for them.

        • reply
          April 27, 2011 7:03 PM

          I know Mr. Sony personally. We play golf together on Sundays. I can assure you that he is most upset about this situation.

      • reply
        April 27, 2011 4:28 PM

        lol

      • reply
        April 27, 2011 4:31 PM

        Sorry bro but I hate on companies that don't protect my personal information, even if the hackers who exposed that problem were in the wrong themselves.

        • reply
          April 27, 2011 5:44 PM

          ^ lol,Your personal info is never 100% secure,

          • reply
            April 27, 2011 5:51 PM

            It is if you give it to Vinny. He keeps it in his jacket pocket, and nobody fucks with Vinny.

      • reply
        April 27, 2011 5:47 PM

        The current theory is sony didn't do enough to ensure our data was encrypted, that they may have been storing them in plaintext or an unsalted hash (Because PSN was able to historically check if you've used any password you gave it, previously)

      • reply
        April 27, 2011 5:55 PM

        you've bottomed out another thread, congrats!

      • reply
        April 27, 2011 6:02 PM

        LEAVE SONY ALONE!

      • reply
        April 27, 2011 7:01 PM

        GET YOUR ASS TO MARS

      • reply
        April 27, 2011 10:46 PM

        4/10?

        Work on your comedy

      • reply
        April 27, 2011 10:47 PM

        [deleted]

      • reply
        April 27, 2011 10:55 PM

        http://food.change.org/blog/view/hold_the_fish_please

        Scroll down to W L's comment

      • reply
        April 27, 2011 11:07 PM

        GET TO DA CHOPPA!

      • reply
        April 28, 2011 6:49 AM

        Hahaha, you speak like a cross between an an-alphabet and Staline... Terrifying...

    • reply
      April 27, 2011 8:39 PM

      Sonyclassaction.com was registered today. Missed my chance to snag that domain :)

    • reply
      April 27, 2011 8:47 PM

      I received an email, confirming that my data was in fact stolen but it was not known whether or not my credit card info was stolen as well... in the email it doesn't say anything about any of the information being encrypted and encourages me to contact the credit reporting bureaus and monitor my bank account. Dunno if anyone else got this email as well

    • reply
      April 27, 2011 11:02 PM

      I'm just tired of changing my password all the time. DEATH SENTENCE TO HACKERS.

    • reply
      April 28, 2011 12:05 AM

      Those goddamn hacker-punks...

Hello, Meet Lola