Sony admits utter PSN failure: Your personal data has been stolen

“Sony has finally come clean about the “external intrusion” that has caused the company to take down the PlayStation Network service, and the news is almost as bad as it can possibly get,” Ben Kuchera reports for Ars Technica. “The hackers have all your personal information, although Sony is still unsure about whether your credit card data is safe. Everything else on file when it comes to your account is in the hands of the hackers.”

“‘It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained,’ Sony announced. While the company claims that there is ‘no evidence’ that credit card information has been compromised, it won’t rule out the possibility,” Kuchera reports. “Their advice is to be safe, rather than sorry. ‘If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.'”

Kuchera reports, “There is still no update on when service will be restored, but that is the least of your concerns if you have a PlayStation Network account. It’s time to change your passwords, at the very least, and if you’re like to be completely safe it’s not a bad idea to cancel your credit or debit cards and request replacements.”

Read more in the full article here.

MacDailyNews Take: Qridiocy.

[Thanks to MacDailyNews Reader “ChrissyOne” for the heads up.]

Related article:
Sony unveils two iPad killers; ‘S1′ and ‘S2′ Android 3.0 tablets coming this fall (with photos) – April 26, 2011


      1. I came for the SteveJack but I stay for the ChrissyOne.

        (Yeah that was pretty feeble. 🙂 I really just mean that I tend to skim the articles, find and read Chrissy’s comments and move on.)

  1. Sony is a very large company. As such, one would presume, they have internal, as well as external auditors who carefully scrutinise all security policies throughout the corporation. It is also safe to assume that the team responsible for the PS Network also had a professional, reasonably competent IT security contingent. In other words, this is not some one-man-show operation.

    The point I’m trying to make is that it really does NOT matter at all how small or big a company is. Security of company’s (or customers’) data will in the end always depend on that one person who wrote some code or implemented some policy on some system. There may be multiple layers of management between that last person in the trenches and the head responsible for corporate security strategy, whose head would normally roll after a breach of such proportions. However, the hole is almost never caused by some large, systemic failure caused by poorly devised security policy strategy. It will most often be a simple omission of a proper patch, which leaver a possible vulnerability open for an exploit. Couple that with the sheer luck some hacker had in finding that vulnerability and the damage is done.

    I don’t know the exact details of this event but it is quite likely that this kind of breach could happen to anyone, including Apple.

    All we could say here is, couldn’t have happened to a nicer company……

    1. So far it’s coming out they stored all user info in plain txt. sound like a competent company?

      It took them 6 days to release the fact user info was compromised. And this is over a week after they first got ass pwn3d by an actual anon op. Sorry man- this is going to be a textbook case of how to get a large customer base pwn3d and then fumble it all the way possible so your customers get max Eff’d. Also- it is not sheer luck. It’s sheer persistence and superior knowledge/skills on the hackers part that put Sony in the place they are today.

    2. Doubt it. Probably would be safe to assume that Sony has professionals handling company data, very doubtful that the same security protocols would be in place on the network. Safer to assume that this standalone, commercial product utilizes as cheap a setup as possible, if not outsourced to a third party, outside contractor to minimize corporate liability. Notice how no indication was given as to accounts with Sony proper? Only this specific network was hacked. You get what you pay for.

      1. It would be safe to assume sony has professionals that handle the data.. that got stolen by hackers. yea- safe bet. lolz

        All your assumptions are inccorrect. NEXT!

    1. Well, at first it was Anonymous, the sometimes gallant, sometimes terrorist-like group of hackers, initiating a Denial of Service attack as payback for Sony’s lawsuit against the PS3 hacker from California. It’s definitely possible Anonymous did this, but it would defeat the purpose of the mission, which was to harm Sony and defend consumers. Such is the nature of a hive-mind though.

      1. I wouldn’t put it past Sony to have faked this. Sure it delves into conspiracy theory territory, but if they needed to take it down to fix the holes, and they pull this… It causes everyone to look sideways at Anon, and “hackers” in general, who they were having problems with, and let’s them do the work they were going to do anyway but get to deflect the pissing about the network being down with a “this is for your safety” line.

        1. You may have had a point- but this is too terribly mismanaged by Sony to have any ulterior motives. i.e. they look moronic at this point and usually you’d want to pull a stunt off so it paints you in a good victimish light.. not a bumbling amateur light.

    1. It only took Sony six-days to finally get around to publicly announcing the security breech. Who knows though, it could be the hackers injected some code into Sony’s servers to keep Sony locked out.

      Sony had access to all 75-million customers’ email and should have notified them immediately regardless of the level of suspected damage. Especially where credit cards are concerned.

      I doubt this is one of Sony’s competitors and it certainly wasn’t some altruistic concern for PSN’s membership.

      I believe the motive was money and millions of fresh CC numbers to sell on the black market.

      1. I would have to agree.

        I only noticed PSN was down late friday, figured it was a new patch coming.. tried sat night same issue. got me wondering what was going on. Only monday did I actually do any research into the problem.
        All this cause of some asshat got mad about Sony removing Linux install capability from a game console..

        And i agree with what you said above, they REALLY should have sent out emails and such to warn customers.
        Anyone that has an ID theft problem now, and has/had a PSN account, should be able to sue Sony. It *could* have been prevented IF Sony told us in time. Major failure on Sony’s part.

        In a Dilemma here now.. as far as PS3/Xbox goes.. (I have both) I prefer PS3.
        Now with this.. Do i go back to Microsoft, or stick with Sony… no matter which i choose, i feel like i’m getting bent over.

        Hell… or do i say screw it and go Nintendo? lol

    1. You can’t until Patrick Seybold gives you the green light.

      The problem Sony has created for themselves and will draw the ire of millions of customers is, Sony told everyone on the 20th that they were experiencing trouble with the servers and would try and get back online as soon as possible.

      The following day, they said they were now investigating the cause of the failure. The day after that they concluded there was some “external intrusion”.

      Meanwhile, as late as the 25th Seybold was telling its membership that Sony was in the process of rebuilding the network to fortify its security and that it would be an intensive process.

      Only today did they make the membership aware that everyone’s privacy was compromised.

      Unsatisfactory! I can see it now, everyone of the executives was covering their own asses, trying to determine the extent of damage and who knew what when.

  2. Well good thing they didn’t maintain all their data on Windblows PeeCees…. or did they?

    They probably did. However any security is only as good as any employee that can be hoaxes into giving up access info, such as Anonymous has recently done.

  3. There’s a popular reddit article going around possibly explaining the intrusion:

    I’ve been on anonIRC… Funny stuff. Surely it’s not one of their ops any longer.. But I’m sure so many weaknesses were expand in their first attack that someone capitalized on it. Apparently, all the user info and CC#s were in plain txt. Who the fuck does that nowadays?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.