Post: Sony PSN Updates, Publishing Partners Letter Detailes. i want to hear opinions
Options
05-13-2011, 04:52 AM
#1
alchybear
< ^ > < ^ >
I want you all to see how many times Sony changes their story and your opinion upon SONY.
this will also have more than just PSN news with in it.
[multipage=Lawyers take aim at Sony hack, may miss on payout 5/13/11 ]
The recent hacker attack at Sony Corp (6758.T) and other corporate data breaches are attracting more class-action lawyers eager to score a payday, though huge monetary settlements may be elusive.
Related Articles
Court rules against Rambus, shares plunge
Court says Rambus wrongly destroyed documents
U.S. court says Rambus wrongly destroyed documents
Related Topics
California Facebook Court New York Sony Attorney General Lawyer Advertising
Subscribe to The Economic Monitor
Subscribe to The Economic Monitor to get the day's most relevant news, data and anlaysis .
Sample
At least 25 lawsuits have been filed against Sony in U.S. federal courts over the theft of user data from the PlayStation game network, according to Westlaw, a Thomson Reuters Corp legal database.
The lawsuits accuse Sony of negligence and breach of contract for allowing the personal data of more than 100 million online video game users to be compromised and stolen.
The challenge for plaintiffs' lawyers in security breach cases is not proving liability on the part of companies, but establishing damages, according to attorneys involved in this kind of litigation.
Sony has been criticized for not telling customers quickly enough last month that their personal data was compromised. The consumer electronics company said it is possible that whoever broke into Sony's system made off with about 12.3 million credit card numbers.
Must Read
'Huge' porn stash found in Bin Laden's bedroom, U.S. official says
Interesting Photos from Around the World
Sponsorship Link
Grow Your Business with Email Marketing
"Had Sony properly secured its database through known and available encryption methods, even if a hacker were able to enter the network, he would be limited in his ability to inflict harm," one lawsuit says.
A Sony representative declined to comment. The company has apologized to its customers.
Judges are just beginning to address whether the disclosure of someone's personally identifiable information (PII) represents a loss of value, or if plaintiffs must show they suffered additional costs because of a hack.
Last month, a federal judge in Oakland, California, declined to dismiss a proposed class-action lawsuit over a 2009 data breach at RockYou, which develops applications for Facebook and other social networking sites. The plaintiffs claim they provided PII in exchange for products and services.
U.S. District Judge Phyllis Hamilton found that allegation sufficient to allow the lawsuit to move forward, but ruled that the case will fail if the plaintiffs cannot demonstrate tangible harm from the breach.
Still, with even more personal information spreading online via cloud computing, which allows users to store files on the Internet, some plaintiffs' attorneys think the dollar awards will get bigger.
"The breaches will become more spectacular in the future," said Ira Rothken, a San Francisco-based lawyer who handles privacy class actions.
Rothken filed a motion on Monday to consolidate all the Sony lawsuits in the U.S. District Court for the Northern District of California. The FBI and attorney general in New York also are investigating the security breach.
Data breach cases also have attracted larger class-action law firms that are better known for bringing shareholder securities fraud litigation.
Milberg LLP, a veteran securities class-action law firm, is among those that have filed lawsuits over the Sony incident. The firm started to devote resources to online class actions "within the last year or so," partner Peter Seidman said.
San Diego-based Robbins Geller Rudman & Dowd LLP, the national class-action firm started by one-time Milberg defector William Lerach, also sued Sony. If the lawsuits were consolidated, a judge would decide which lawyers will represent the plaintiffs -- and be in line to recoup most of the fees.
A boutique law firm representing the RockYou plaintiffs, Edelson McGuire in Chicago, is also representing plaintiffs in the Sony case. The firm, which has long litigated data breach and Internet privacy lawsuits, has grown from five to 20 attorneys over the last three years, partner Jay Edelson said.
There have been 190 reported data breaches this year, up from 142 in all of 2005, according to a tracking database maintained by the Open Security Foundation. In 2010, the number of reported breaches stood at 493, down from 624 the year before.
But Internet privacy-related lawsuits do not yield the nine-figure settlements that can be found in classic securities fraud cases, Edelson said.
Attorneys' fees in breach cases have historically topped out at $7 million to $8 million, he said. One of the largest early data breach cases, involving Internet advertising company Doubleclick, settled in 2002 and paid $1.8 million in legal fees.
Companies will often propose solutions like free credit monitoring as part if a settlement. Indeed, Sony has already offered its customers complimentary enrollment in an identity theft protection plan.
Karen Johnson-McKewan, a partner at Orrick, Herrington & Sutcliffe LLP who defends technology companies, said privacy cases could be more popular with plaintiff lawyers as the U.S. Supreme Court makes it more difficult to pursue other kinds of class actions.
Sounds like another she said.
[multipage= Sony PlayStation Network Breach Shows Trouble With Tracking Hackers 05/13/11]
Efforts to identify the still-at-large attackers that stole personal information from Sony’s PlayStation network raise questions about how the companies that fall victim to cyber crime can track down these hackers -- and whether they can overcome the roadblocks the perpetrators know to put in place.
These cyberattackers leave no fingerprints, footprints, or clothing fibers. They enter silently and stealthily, frequently using a network of computers located all over the world and digital weaponry culled from for-hire hackers. They can delete evidence, erase their tracks, weaken a system’s defenses with an army of computers at their command and route their attacks through countries where U.S. law enforcement has no reach.
Sony has hired a team of outside investigators working with the Federal Bureau of Investigation to track down the people that stole names, addresses and potentially credit card numbers from 100 million users. The company has fingered Anonymous, an activist hacker group, in the breach, though the organization has repeatedly denied any involvement. Sony acknowledged in a letter to Congress that three weeks after the attack, the perpetrators had not yet been identified.
“The truth is that retracing the steps of experienced cyber attackers is a highly complex process that takes time to carry out effectively,” wrote Sony’s Kazuo Hirai, chairman of the board of directors.
Though Sony has offered few specifics on how attackers were able to steal data from their servers or how they’ve attempted to find them, security experts described in broad strokes how digital forensics experts might solve a “whodunit” of the sort Sony faces.
The time-intensive process of tracking down online attackers is fraught with technical and legal challenges, these experts say, while noting that savvy criminals wield a vast arsenal of tools both online and off to escape detection.
Once a company discovers its network has been breached, investigators will usually first comb the server’s log files, which record all traffic to and from the server including attempts to access the network or extract information from it. Reviewing these records -- the digital equivalent of watching security camera footage -- offers a look at any suspicious communication with a company’s network and where it may have originated.
These data logs “allow you to reconstruct the attack,” said Roel Schouwenberg, a senior malware analyst with Kaspersky Lab, an antivirus software provider. “Looking through the logs you can find some anomalies. There is generally a difference in the log between a regular user surfing a site and somebody who tries to push certain information onto a web server.”
The logs may reveal that a computer has planted a file on the server -- Sony said it found a file labeled “Anonymous” on its network -- transferred data from the network, attempted to access the database without authorization or made a number of other unusual requests. The server records can then identify what computer carried out those commands by calling up its IP address, a kind of DNA for devices that identifies each and every gadget connecting to a computer network with a unique number.
But this IP address is frequently akin to a stolen driver’s license a thief intentionally leaves at a crime scene to mislead police.
Anticipating that cyber detectives will track down this information in the log data, hackers often cover their tracks by assuming a false identity when they breach the network: they will route an attack through a series of machines and servers that are connected in ways that make it difficult, if not impossible, to track one to the next.
For example, the IP address of the machine that breached Sony’s servers could have belonged to a "middleman" acting as an intermediary between Sony’s network and another computer. And in turn, that computer might have been an unsuspecting teen’s MacBook that hackers controlled remotely from a cybercafe located states, countries, or continents away.
Each node in this link of computers could be a dead end. Hackers may rent out computers from companies that provide servers and promise not to store potentially incriminating log data, or they illicitly gain access to personal computers.
“What we’ve seen is that the IP address [involved in the attack] is very commonly a machine provided by a legitimate hosting service that rents or sells such machines, but the identity associated with the purchase is either stolen or false,” said Matthew Geiger, a forensics expert with Carnegie Mellon’s Software Engineering Institute. “Another possibility is that it belongs to another compromised system: somewhere upstream of the victim is another victim. It could be a home system like yours or mine.”
Cyber criminals also frequently attempt to delay or derail a probe by using machines in countries where the FBI has no jurisdiction and would be unable to tap into records about Internet activity. The records maintained by Internet service providers can sometimes shed light on large data transfers that connect a criminal to her crime -- but the information may be off limits without the proper legal permissions.
Geiger noted that hackers also know they can “delay substantially -- and in some cases impeded irreparably -- an investigation by requiring lot of cooperation between different jurisdictions, some of which might not be friendly to each other.”
Security experts say server log files can also serve up key clues about the technical tools used to execute the attack. Just as a bullet can reveal the murder weapon and potentially even the person who pulled the trigger, any evidence of attackers’ digital weaponry could be linked to previous crimes, the underground online markets where the services are sold and particular hacker communities around the world.
“There’s a possibility that based on what you can recover from attackers’ tool kits and the tools left behind on the victim’s network, you might be able to find specific and relatively unique identifying components you can correlate with other crimes or even with known groups,” said Geiger. “Maybe somebody has noticed the tools for sale in particular place and can correlate them with the seller. There are commercial groups that follow underground forums used by cyber criminals to either sell their booty or to equip themselves with components for an attack.”
Even if investigators track an attack back to a particular computer through log files, IP addresses and a slew of other evidence, there often remains a gaping hole in their case: identifying who it was sitting at the keyboard orchestrating the attack.
“The most difficult challenge for law enforcement is putting a human being at the keyboard behind the attack,” said Adam Palmer, a cybersecurity advisor at Norton, a division of the security software firm Symantec. “It’s not enough to trace the attack back to a server. The server didn’t commit the crime. Technology is good, but these tools are being abused by human beings.”
[multipage=Sony PSN Japan Update, Publishing Partners Letter Detailed 5/12/11]
Following news that PSN internal testing is currently underway, today the official PlayStation Japan site has issued an update regarding the PlayStation Network outage alongside details from the official letter Sony sent out to their publishing partners.
To quote, roughly translated: "PlayStation Network" and "Qriocity" and continued failure, I am sorry indeed. As we told the other day with the latest information in regard to future service restart, will be conducted in stages on a regional basis to ensure the safety of our customers.
We are preparing to be able to resume service as soon as possible in Japan, and is now doing the verification stage for ensuring the safety and security, providing more advanced. Server to complete the relocation of more secure facilities, further strengthening the encryption, firewalls and expansion of new customers with peace of mind again on "PlayStation Network" and "Qriocity" to stay.
We also are supporting the monitoring and the introduction of warning systems to facilitate early detection of cyber attacks, subjected to a system upgrade intended to eliminate vulnerabilities, established a system to ensure information management to protect important personal information of customers.
For those of you committed to ensuring safety, but would take some time for some time now, humbly thank you for your understanding. For the latest information, this website will guide you at any time. To everyone of our customers and partners, we deeply apologize for the inconvenience and inconvenience."
In related news, IndustryGamers.com has shared a copy of the official letter Sony SVP Rob Dyer sent out regarding PSN to their publishing partners, as detailed below:
Dear Partner:
As you know, certain PlayStation Network, Qriocity and Sony Online Entertainment service user account information was compromised in criminal attacks against our networks. I want to assure you, as a PlayStation partner, that it is Sony’s top priority to restore our network operations and see that business is returned to usual as soon as possible.
We are working around the clock to restore service, but will do so only when we can ensure that the network can operate safely and securely. In the meantime, we greatly appreciate your patience, understanding and goodwill.
What Happened?
On Tuesday, April 19, 2011, Sony discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network. This activity triggered an immediate response.
Sony mobilized a larger internal team to assist the investigation of the four suspect servers. That team discovered the first credible indications that an intruder had been in the PlayStation Network system, and six more servers were identified as possibly being compromised. Sony immediately decided to shut down all of the PlayStation Network services in order to prevent any additional damage.
The scope and complexity of the investigation grew substantially as additional evidence about the attack developed.
The forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators and escalate privileges inside the servers. Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network.
On Sunday May 1, using information uncovered by the forensic teams, engineers at Sony Online Entertainment (SOE) discovered that data had also been taken from their servers. They, too, shut down operations and on Monday, May 2, announced the discovery.
What Data Are Affected?
As you may know, personal data was stolen from approximately 77 million PlayStation network and Qriocity service accounts.
As of this writing, there remains no evidence that the credit card information was stolen and the major credit card companies are still reporting that they have not seen an increase in fraudulent transactions due to this event.
What Steps Are Being Taken?
We have taken aggressive action to give consumers peace of mind, protect them against the abuse of their data, and enhance our security systems moving forward.
We have already advised our consumers in the U.S. that we will offer complimentary identity theft protection services through a leading provider, including an insurance program of up to $1 million. Similar programs are being developed in other markets around the world.
In addition, Sony is taking a series of steps to enhance security of our network infrastructure. They include but are not limited to:
adding additional automated software monitoring and configuration management to help defend against new attacks;
enhanced levels of data protection and encryption, as well as additional penetration and vulnerability testing;
enhanced capabilities to detect software intrusions within the network, unauthorized access and unusual activity patterns;
implementation of additional firewalls;
expediting a planned move of the system to a new data center in a different location with enhanced security; and
appointment of a new Chief Information Security Officer.
Finally, to thank our customers for their patience and loyalty, we are offering them "welcome back" packages as soon as the networks are restored, including free downloads of selected PlayStation entertainment, 30 days of free service as well as service extensions for the number of days PSN and Qriocity services were unavailable, with similar benefits for Music Unlimited subscribers.
Looking Ahead
We of course deeply regret that this incident has occurred. We are working closely with the FBI to identify and apprehend the culprits who committed this crime against our consumers, our partners and our company. I know you can appreciate how widespread the problem of cybercrime is in society today. Although no company is immune, we are confident our consumer data will be protected by some of the best security measures available today.
As a valued partner we aim to keep the lines of communication open so that you are aware of our progress. Our focus has been to confirm the security of the networks, protect customer data and get the services back on line as quickly as possible. We will do our best to respond to all of your inquiries and we will do everything we possibly can to support you.
We are doing everything we can to bring these services back online as soon as possible. We will update you with more information as soon as we can, but please call your account executive if you have further questions. We thank you for your patience and look forward to moving ahead together in the months and years to come.
Very truly yours,
Rob Dyer
SVP, Publisher Relations
[multipage=Sony Expects PSN Services to be Fully Restored by May 31, 2011 5/9/11]
I know you all want to know exactly when the services will be restored. At this time, I can't give you an exact date, as it will likely be at least a few more days. We're terribly sorry for the inconvenience and appreciate your patience as we work through this process."
Today Bloomberg (linked above) reports that Sony expects PSN services, including Qriocity, to be fully restored by May 31, 2011.
To quote: "Sony Corp.'s PlayStation Network and Qriocity online services remain shut as of today, Shigenori Yoshida, a Tokyo-based spokesman said. Sony is uncertain when it can resume the services, Yoshida said by phone today.
The company is in the process of adopting an improved security system and its plan to restart the services fully by May 31 is unchanged, he said. Sony shut down the PlayStation Network and Qriocity services April 20 because of possible data theft by hackers.
The maker of PS consoles had planned to restart partial operations within a week after boosting the level of security system, the company said May 1."
Read more: You must login or register to view this content.
[multipage=Sony's Response on PSN to the U.S. House of Representatives 5/8/11]
Today Sony's Senior Director of Corporate Communications & Social Media Patrick Seybold has posted an update on their PSN response to the U.S. House of Representatives via the PlayStation Blog.
To quote: Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on "The Threat of Data Theft to American Consumers."
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.
We also informed the subcommittee of the following:
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."
By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
Protecting individuals' personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the "Welcome Back" program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we'll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.
[multipage= Sony's Troubles Deepen, AT&T Merger Sparks Debate 5/7/11 ]
You must login or register to view this content.
Sony's woes deepened with news of another security breach as well as a subpoena. AT&T and Sprint, meanwhile, continued their war of words over AT&T's proposed merger with T-Mobile.
Sony's Data Breach Woes Continue
Sony stayed in the spotlight again this week regarding the grand-scale PlayStation data theft. On Monday Congress demanded answers from the company, asking how it could have allowed hackers to steal account information from its 77 million PlayStation and Qriocity users from April 17 to 19.
In response, Sony declined to testify before the House, saying it was too busy investigating another cyber-theft it just found out had taken place from April 16 to 17.
This earlier theft apparently compromised 24.6 million peoples' personal information, including credit and debit card numbers from subscribers around the world.
To get to the bottom of everything, Sony has hired top-notch private investigators and is also working with the Federal Bureau of Investigation.
The Tokyo-based company stopped short of completely blaming the hacktivist group Anonymous, which had earlier targeted it with denial of service attacks after the corporation prosecuted a hacker in federal court. But Anonymous denies stealing any personal information, instead saying Sony's weak security was the reason so many peoples' accounts were compromised.
Sony is now in boiling hot legal water over why it waited six days to disclose the original attacks and failed to discover the second wave of attacks until this Tuesday. Besides various lawsuits and angry letters from government officials around the world, Sony received a subpoena demanding internal documents relating to the breach on Thursday.
In light of this demand, it may have been wise for the company to send someone to Congress on Tuesday.
At least Sony CEO Howard Stringer apologized on Friday for inconveniencing its users, who can't play multiplayer games online since the network is still down. The company promised would provide credit-monitoring services and insurance to those who became victims of identity theft.
[multipage=PSN Service Restoration Update, Internal Testing Underway 5/7/11 ]
As a follow-up to yesterday's PSN updates and delay due to stolen data that has since been removed, Sony's Senior Director of Corporate Communications & Social Media Patrick Seybold has posted another brief PlayStation Network update as follows:
As you may know, we've begun the process of restoring the service through internal testing of the new system.
We're still working to confirm the security of the network infrastructure, as well as working with a variety of outside entities to confirm with them of the security of the system. Verifying the system security is vital for the process of restoration. Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online.
As you've heard us say, our utmost priorities are the security of the network and ensuring your data is safe. We won't restore the services until we can test the system's strength in these respects.
When we held the press conference in Japan last week, based on what we knew, we expected to have the services online within a week. We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system.
We know many of you are wanting to play games online, chat with your friends and enjoy all of the services PlayStation Network and Qriocity services have to offer, and trust me when I say we're doing everything we can to make it happen. We will update you with more information as soon as we have it. We apologize for the delay and inconvenience of this network outage.
[multipage=EU official says Sony, Apple need to rebuild trust 5/3/11]
Sony and Apple could face a backlash from EU data protection officials following recent privacy-related issues surrounding their flagship products.
During a speech earlier today in Brussels, Belgium, European Union Justice Commissioner Viviane Reding noted that both companies needed to rebuild customer trust, saying "those in charge have to take the relevant technical and organizational measures to guarantee protection against data loss or an unjustified access."
The speech, which was covered by Bloomberg, comes days after Sony's announcement that as many as 100 million user accounts were exposed as part of an attack targeting its PlayStation Network and Sony Online Entertainment properties. It also comes just shy of a week since Apple responded to claims that it was tracking user location. Between the two, Reding cited Sony specifically for taking too long to notify users about its data breach.
Apple last week said that it wasn't tracking users and never had plans to do so, adding that any geo-data being stored is simply a smaller part of a secure and anonymous database that helps devices determine where they are.
Apple specifically has said it plans to address concerns about the location database stored on the phone by shrinking its size down to seven days worth of data, encrypting it, and giving users the power to delete it each time location services are turned off. Those adjustments are due as part of a software update promised in the next few weeks, though there are signs that update could arrive sooner.
Meanwhile, Sony Computer Entertainment (Sony's gaming division) has created a new chief security information officer position and plans to offer its customers free identity theft monitoring. Collectively, these moves may not be enough to satisfy EU data protection officials, Bloomberg said.
EU regulation has played a notable role in shaping the policies, products, and business deals of multinational corporations. Microsoft and Google specifically have come under the eye of EU regulators on numerous occasions, with Google being the more recent target for services like Google Books and the company's Street View technology.
[multipage=Sony PlayStation Network Security Update, SOE Now Down 5/2/11]
that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
We continue to work with law enforcement and forensic experts to identify the criminals behind the attack. Once again, we apologize for causing users concern over this matter.
Our objective is to increase security so our customers can safely and confidently play games and use our network and media services. We will continue to provide updates as we have them.
Sony has also suspended another of its online gaming systems, following the recent PlayStation Network hack. The company took the Sony Online Entertainment (SOE) service offline as part of its wider investigation into security breaches. Multiplayer games including DC Universe and Facebook-based Fortune League were unavailable as a result.
Sony admitted last week that the personal details of 77m PlayStation users may have been stolen by hackers. The suspension of SOE was announced in brief statement on its Web site, Station.com.
To quote from the BBC: "We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday)," it said.
Last week, Sony said that it did not believe SOE users had been affected by the PlayStation Network hack.
A community relations spokesperson wrote on one of Sony's support forums at the time: "We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons.
"We are continuing that investigation and monitoring the situation carefully; should the situation change, we will - of course - promptly notify you."
Sony Online Entertainment designs and publishes online multiplayer games for the PC, PlayStation 3 and, in the case of Fortune League, Facebook."
Finally, what comes just days after a massive layoff, Nikkei reports (via JoyStiq.com) that SOE has lost 12,700 customer credit card numbers as the result of the attack.
The company apparently took SOE servers offline after learning of the attack last evening, but has yet to issue a statement confirming that customer information has been lost.
Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder's origins are unknown.
From the official SOE site, to quote: As previously announced, we have been conducting an ongoing, thorough investigation stemming from the cyber attack in April and promised to notify you should there be any changes to the situation.
A press release was issued today outlining these details. We will promptly send a customer service notification via email to all of our impacted account holders whose customer data may have been stolen as a result of an illegal intrusion on our systems. This information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security.
SOE is committed to delivering secure, stable and entertaining games for players of all ages and we're working around the clock to ensure this situation is resolved as quickly as possible. We deeply regret the inconvenience this has caused and appreciate your continued patience and feedback.
CUSTOMER SERVICE NOTIFICATION - May 2, 2011
Dear Valued Sony Online Entertainment Customer: Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
We apologize for the inconvenience caused by the attack and as a result, we have:
1) Temporarily turned off all SOE game services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit [url]www.annualcreditreport.com[/url] or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; [url]www.experian.com;[/url] P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; [url]www.equifax.com;[/url] P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; [url]www.transunion.com;[/url] Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at [url]www.consumer.gov/idtheft[/url] or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or You must login or register to view this content.. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (88
743-0023; or You must login or register to view this content.. We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1 (866) 436-6698 should you have any additional questions.
Sincerely,
Sony Online Entertainment LLC
[multipage=Sony's Response on PSN to the U.S. House of Representatives 5/4/11]
Today Sony's Senior Director of Corporate Communications & Social Media Patrick Seybold has posted an update on their PSN response to the U.S. House of Representatives via the PlayStation Blog.
To quote: Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on "The Threat of Data Theft to American Consumers."
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.
We also informed the subcommittee of the following:
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."
By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
Protecting individuals' personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the "Welcome Back" program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we'll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.
[multipage=Some PSN Services Available This Week, Free Month of PS Plus 5/1/11]
From their Press Conference today, Kazuo Hirai has briefed the media on Sony's investigation into the PlayStation Network security breach, PSN security measures and service restoration plans.
Sony stated they plan restore some PSN and Qriocity services this week with the rest during the new month, and confirmed that all existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service while current members of PlayStation Plus will receive 30 days free service.
Additonally, those who do not wish to continue using the service will also be eligible for a refund of any remaining funds in your PSN wallet according to the Sony boss.
Of the 77 million PSN users, Sony also confirmed that approximately 10 million accounts had credit card information on file (Regional Breakdown via markmacd), however, they state while the data was encrypted the possibility may exist for hackers to decrypt it.
To quote from Sony's Sr. Director of Corporate Communications & Social Media Patrick Seybold via the official Press Release:
SOME PLAYSTATION NETWORK AND QRIOCITY SERVICES TO BE AVAILABLE THIS WEEK
Phased Global Rollout of Services to Begin Regionally; System Security Enhanced to Provide Greater Protection of Personal Information
Tokyo, May 1, 2011 - Sony Computer Entertainment (SCE) and Sony Network Entertainment International (SNEI, the company) announced they will shortly begin a phased restoration by region of PlayStation®Network and Qriocity™ services, beginning with gaming, music and video services to be turned on.
The company also announced both a series of immediate steps to enhance security across the network and a new customer appreciation program to thank its customers for their patience and loyalty.
Following a criminal cyber-attack on the company's data-center located in San Diego, California, U.S.A., SNEI quickly turned off the PlayStation Network and Qriocity services, engaged multiple expert information security firms over the course of several days and conducted an extensive audit of the system.
Since then, the company has implemented a variety of new security measures to provide greater protection of personal information. SNEI and its third-party experts have conducted extensive tests to verify the security strength of the PlayStation Network and Qriocity services. With these measures in place, SCE and SNEI plan to start a phased rollout by region of the services shortly. The initial phase of the rollout will include, but is not limited to, the following:
Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems -This includes titles requiring online verification and downloaded games
Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
Access to account management and password reset
Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
PlayStation®Home
Friends List
Chat Functionality
Working closely with several outside security firms, the company has implemented significant security measures to further detect unauthorized activity and provide consumers with greater protection of their personal information.
The company is also creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of Sony Corporation, to add a new position of expertise in and accountability for customer data protection and supplement existing information security personnel. The new security measures implemented include, but are not limited to, the following:
Added automated software monitoring and configuration management to help defend against new attacks
Enhanced levels of data protection and encryption
Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
Implementation of additional firewalls
The company also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months. In addition, PS3 will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service.
As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data.
The company is conducting a thorough and on-going investigation and working with law enforcement to track down and prosecute those responsible for the illegal intrusion.
"This criminal act against our network had a significant impact not only on our consumers, but our entire industry. These illegal attacks obviously highlight the widespread problem with cyber-security. We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data.
In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks," said Kazuo Hirai, Executive Deputy President, Sony Corporation. "Our global audience of PlayStation Network and Qriocity consumers was disrupted.
We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation program for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services."
Complimentary Offering and "Welcome Back" Appreciation Program
While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
The company will also rollout the PlayStation Network and Qriocity "Welcome Back" program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company's appreciation for their patience, support and continued loyalty.
Central components of the "Welcome Back" program will include:
Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.
Additional "Welcome Back" entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.
SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation Store and other Qriocity operations, scheduled for this month.
You must login or register to view this content.
.[multipage=Sony's Q&A #2 for PlayStation Network and Qriocity Services 5/2/11]
As a follow-up to yesterday's Q&A #1 comes part two from Sony's Senior Director of Corporate Communications & Social Media Patrick Seybold, as follows:
Yesterday, we addressed a number of your questions relating to the malicious intrusion into our network. As we get closer to restoration of service, here are more answers to your questions, many of which are more gaming related:
Q: Will our download history/friends list/settings be affected by the PSN downtime?
A: No, they will not.
Q: Will trophies that were earned in single-player offline games during the outage be intact when the service resumes?
A: These trophies are intact and will be re-synched when the network is once again operational.
Q: Will my PS+ cloud saves be retrievable?
A: Yes, once PSN is restored.
Q: What if we have a subscription to PS3 MMOs DC Universe Online or Free Realms? Will we get compensation for that?
A: From Sony Online Entertainment: "We apologize for any inconvenience players may have experienced as a result of the recent service interruption. As a global leader in online gaming, SOE is committed to delivering stable and entertaining games for players of all ages.
To thank players for their patience, we will be hosting special events across our game portfolio. We are also working on a "make good" plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums."
Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?
A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online. Thank you for your continued feedback.
In related news, the NY Times reports that a House of Representatives subcommittee sent a letter (PDF) to Sony on Friday asking for information about the attack on the Sony Playstation Network by hackers last week that has affected 77 million registered users.
The letter, which was addressed to Mr. Kazuo Hirai, chairman of Sony, asked the company to answer a detailed list of questions related to the intrusion and they are seeking a reply by May 6, 2011.
Finally, SCEE Blog Manager James Gallagher confirmed that PlayStation Network accounts will not be reset following the outage that has last approximately 1 week. To quote:
"We’re not resetting accounts or anything like that, so when PSN is restored and you log on, everything will be as you left it. When PSN is restored, friends lists, trophies and wallet funds will all be exactly as they were before."
[multipage=Sony's Q&A #1 for PlayStation Network and Qriocity Services
4/30/11]
Sony's Senior Director Patrick Seybold of Corporate Communications & Social Media has made available Q&A #1 for PlayStation Network and Qriocity Services today.
In it they make mention that a new PS3 Firmware update is coming that will force PSN users to change their password for security purposes, which is now confirmed to be PlayStation 3 Firmware 3.61 via Sony Japan.
Additionally, Gamasutra reports that Sony is also providing PS3 developers updated PlayStation 3 SDKs that include new security features before PSN comes back online.
To quote: First off, we want to again thank you for your patience. We know that the PlayStation Network and Qriocity outage has been frustrating for you.
We know you are upset, and so we are taking steps to make our services safer and more secure than ever before. We sincerely regret any inconvenience or concern this outage has caused, and rest assured that we're going to get the services back online as quickly as we can.
We received a number of questions and comments yesterday and early today relating to the criminal intrusion into our network. We'd like to address some of the most common questions today.
We are also going to continue to post updates to this blog with any additional information and insight that we can over the next few days.
We are reading your comments. We are listening to your suggestions. Please keep them coming.
Thank you.
Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.
Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.
Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
Q: What if I don't know which credit card I've got attached to my PlayStation Network account?
A: If you've added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from "[email protected]" at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.
Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.
Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit You must login or register to view this content. and You must login or register to view this content. for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.
Q: What steps is Sony taking to protect my personal data in the future?
A: We've taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network's security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.
Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.
Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.
[multipage=G4TV explains PSN being down and accounts being compromised 4/27/11]
[multipage=Hackers: Rebug PS3 Program Not Responsible For PSN Security Failure 4/27/11]
The PlayStation Network being down has lead to a ton of rumors and speculation, and one of the main targets of suspicion yesterday, before it was revealed that a security breach was behind the outage, were the creators of the PS3 firmware replacement program called Rebug.
Rebug is geared toward adding the functions of a PS3 devkit to a retail console without losing retail features. Many speculated on the internet that security breaches enabled by modifying Rebug could have resulted in the PlayStation Network being taken offline by Sony.
In light of the real reasons for the Network being taken down, I asked the Rebug Team, creators of the software, whether the software could be used to steal users' credit card data or other personal info. "NO. NO. NO." They responded (via email). "Thanks to irresponsible media outlets and scene members a few different rumours have been started that have no truth."
According to the team, another untrue rumor about their software is that it allows users are to enter fake credit card data and add funds.
I asked the hackers whether Rebug could be used to get free content from the PlayStation Network, and was told: "Straight out of the box, No. Unfortunately a few days after Rebug’s release, tutorials and games lists started to appear explaining how it could be done."
"The holes that certain Rebug users are getting through could quite easily be fixed without downing an entire network both for developers and retail users worldwide," the hackers said. "We believe it is something more serious than Rebug."
[multipage=Sony PSN and Qriocity Update, Admit Account Info Compromised 4/26/11]
Following up on their previous report and pressure from US Senator Richard Blumenthal, Sony has now posted an update to the PSN and Qriocity service outage admitting that user account information was indeed compromised by PS3 hackers.
Sony has also stated that they expect normal PlayStation Network services to resume within a week, with what may be evidence and logs from the PSN server surfacing from Dutch site PSX-Sense.nl via SKFU alongside an IRC chat on the event.
To quote from Sony's Sr. Director Corporate Communications & Social Media Patrick Seybold via PS Blog:
Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems.
These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.
We're working day and night to ensure it is done as quickly as possible. We appreciate your patience and feedback.
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
Temporarily turned off PlayStation Network and Qriocity services; Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit [url]www.annualcreditreport.com[/url] or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name.
Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; [url]www.experian.com;[/url] P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; [url]www.equifax.com;[/url] P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; [url]www.transunion.com;[/url] Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at [url]www.consumer.gov/idtheft[/url] or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft.
Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC.
For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or You must login or register to view this content.. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (88
743-0023; or You must login or register to view this content.. We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information.
Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
Playstation Blog updated with latest info:
Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We don't have an exact date to share at this moment as to when we will have the services turned on, but are working day and night to ensure it is as quickly as possible. We are currently working to send the following message via email to all of our registered account holders regarding a compromise of personal information as a result of this malicious attack on our servers, so please look for this information via email as well. Please note that we are as upset as you are regarding this attack and are going to proceed aggressively to track down those that are responsible.
Source, full text and letter (plus "interresting" comments below) here: You must login or register to view this content.
Letter:
Valued PlayStation Network/Qriocity Customer,
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please check You must login or register to view this content. should you have any additional questions.
Sincerely,
Sony Network Entertainment and Sony Computer Entertainment Teams
Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Limited the data controller for PlayStation Network/Qriocity personal data.
Finally, to quote from PSX-Sense / SKFU: "Above is a screenshot of their PSN servers access logs. This log is created on the main server of the PlayStation Network. Likely many of you have no idea what exactly a log would be. Sony itself has this log file are also publicly retrievable through the URL. Mistake number two, perhaps? Here also some interesting logs:
178.202.110.92 - - [22/Apr/2011: 7:05:00 p.m. -0700] "GET / admin / cdr / counter.txt HTTP/1.1" 404 343 "-" "Mozilla/5.0 (compatible; Windows NT 6.1, de; rv: 1.9.2.16) Gecko/20110319 Firefox/3.6.16 "
214.1.211.251 - - [15/Apr/2011: 9:40:09 -0700] "GET / _vti_bin / fpcount.exe? Page = default.htm | Image = 3 | Digits = 15 HTTP/1.0" 404 325 "- "" - "
214.1.211.251 - - [15/Apr/2011: 9:39:51 -0700] "GET / scripts / foxweb.exe / HTTP/1.0" 404 324 "-" "-"
214.1.211.251 - - [15/Apr/2011: 9:39:48 -0700] "GET / phpwebfilemgr / index.php? F =../../../ etc / services HTTP/1.0" 404 328 " - "" - "What we see here again include the use of an FVC, local file inclusion, in the last row. With this is that the ip 214.1.211.251, this is possibly the IP of the attacker. Nor has a number of Javascript injections occurred:
214.1.211.251 - - [15/Apr/2011: 9:39:49 -0700] "GET / board.php? script FID = alert (document.cookie) HTTP/1.0" 404 314 "- "" - "
214.1.211.251 - - [15/Apr/2011: 9:39:38 -0700] "GET / servlet / webacc? User.id ="> script alert ('eeye2004'
HTTP/1.0 " 404 319 "-" "-"
214.1.211.251 - - [15/Apr/2011: 9:39:30 -0700] "GET / modules.php? Name = Reviews
One interesting point I found is a not secured access log of a PSN environment. You will quickly notice the IP 214.1.211.251, which sends requests like a vulnerability scanner. The IP points to the DoD Network Information Center, based in Ohio USA.
The first log entry of this IP is [03/Mar/2011:07:10:38 -0800]. As the DoD is knows as beeing easy to hack, the anonymous hacker could have used this as proxy."
[multipage=Sony Sued Over PSN Security Issues, PSN Terms Exclude Liability 4/27/11 ]
Update #2: MCST.ca has reported that Canadian Natasha Maksimovic has also filed suit (PDF) against Sony via McPhadden Samac Tuovi LLP for the recent PSN security breach.
Update: MSNBC now reports that Sony's database may already be on sale in an online bazaar, stating that that low-level cybercriminals using "carder" online forums were offering to sell a database of 2.2 million credit-card numbers taken during the PlayStation Network breach.
As a result of yesterday's confirmation from Sony that PSN account information has been compromised, today class action lawsuits are forming against the corporation despite a T&C disagreement that states Sony is not liable for loss of data.
To quote: "We exclude all liability for loss of data or unauthorised access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network," the terms state.
According to the documentation, the first of many defendants is Kristopher Johns, 36, of Birmingham, Alabama.
To quote from CNET: "Sony sued for PlayStation Network data breach
Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.
The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the U.S. District Court for the Northern District of California. Johns accuses Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."
He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers "to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions."
The lawsuit is asking for monetary compensation and free credit card monitoring, and is seeking class action status.
Yesterday, Sony warned customers of its PlayStation Network and Qriocity service that their personal information--including customer names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles--was obtained illegally by an "unauthorized person" between April 17 and 19. The company says there is "no evidence" that credit card information was compromised, but it can't be sure yet.
In the aftermath of the breach Sony has temporarily turned off PlayStation Network and Qriocity, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security.
Johns' complaint echoes the concerns of Sen. Richard Blumenthal, a Connecticut Democrat. Blumenthal yesterday wrote a letter to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft."
Also from IGN, to quote: "Sony Sued for PSN Security Breach - Class action lawsuit filed this morning against SCEA.
A class action lawsuit was filed against Sony a day after the company publicly admitted that personal information from PlayStation Network was compromised by a security breach. The lawsuit was filed by the Rothken Law Firm today in a California court and alleges Sony "failed to take reasonable care to protect, encrypt, and secure the private and sensitive data."
Yesterday, Sony said it believes an unauthorized person obtained PSN user information, including members' names, addresses, birthdays, and login passwords. The company said there was no evidence that credit card information was stolen, but did not rule out that possibility.
"We brought this lawsuit on behalf of consumers to learn the full extent of Sony PlayStation Network data security practices and the data loss and to seek a remedy for consumers. We are hopeful that Sony will take this opportunity to learn from the network vulnerabilities, provide a remedy to consumers who entrusted their sensitive data to Sony, and lead the way in data security best practices going forward," said Ira P. Rothken an attorney who filed the class action complaint.
"Sony's breach of its customers' trust is staggering. Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn't," commented J.R. Parker, co-counsel in the case.
The lawsuit seeks monetary compensation for the data loss and "loss of use of the Sony PlayStation Network, credit monitoring, and other relief according to proof."
[multipage=Sony Details Update on PSN Service Outages, Possible Attacks 4/20/11]
Today SCEE Blog Manager James Gallagher alongside Senior Director Patrick Seybold via the US Blog have posted update details on the PSN service outages, stating outside attacks may be a possible cause.
To quote: I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time.
As we previously noted, this is a time intensive process and we’re working to get them back online quickly. We’ll keep you updated with information as it becomes available. We once again thank you for your patience.
We sincerely regret that PlayStation Network and Qriocity services have been suspended, and we are working around the clock to bring them both back online.
Our efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure. Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.
We thank you for your patience to date and ask for a little more while we move towards completion of this project. We will continue to give you updates as they become available.
An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th.
Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.
As you are no doubt aware, the current emergency outage is continuing this afternoon and all Sony Online Network services remain unavailable.
Our support teams are investigating the cause of the problem, including the possibility of targeted behaviour by an outside party. If the reported Network problems are indeed caused by such acts, we would like to once again thank our customers who have borne the brunt of the attack through interrupted service.
Our engineers are continuing to work to restore and maintain the services, and we appreciate our customers’ continued support.
While we are investigating the cause of the Network outage, we wanted to alert you that it may be a full day or two before we’re able to get the service completely back up and running.
Thank you very much for your patience while we work to resolve this matter. Please stay tuned to this space for more details, and we’ll update you again as soon as we can.
For further information, please refer to updates on PlayStation.com our @PlayStationEU twitter feed.
Finally, for those wondering PSN error 80710A06 simply means "Issue with the system: The PlayStation 3 system encounted an issue" according to Sony's PS3 error code checker.
05-13-2011, 05:06 PM
#3
TheManDavid
Your mother!
Hold on there partner. This thread contains vocabulary that just exceeds my reading level. LOL. Jk. Nice thread
THIS IS MY 1000th post! F*CK YEAH
THIS IS MY 1000th post! F*CK YEAH
05-13-2011, 05:08 PM
#4
alchybear
< ^ > < ^ >
lol well theres 12 pages psn updates of what they have said about psn down time to the right n i bet it take more than a few hour to for the noobs read it all, if they even see the pages to the right XD . and the ones that want to blame jail break n cfw and rebug well this pretty much clears everything up in a way to show they didnt do it.
05-13-2011, 05:17 PM
#5
Sync
Guest
Wow Nice thread with very well written information :y: i actually read a lot of it but it's a lot of info 
The following 2 users say thank you to Sync for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
