Sony PlayStation Network Hacked — Exposes Information on Millions

There is now an explanation behind the mysterious outage of the Sony PlayStation Network (PSN), the online videogame service that enables millions of subscribers to play games over the Internet.  The explanation is not likely to make angry gamers any happier. 

The PSN outage was first reported around April 20, 2011.   Originally Sony simply said it was looking into the problem.  Then, on Saturday, April 23rd, Sony reported that the outage was related to an “external intrusion”, but no further details were provided.  Finally, on April 26th, Sony acknowledged that its network had been hacked and the personal information of its roughly 77 Million subscribers may have been compromised.

Sony is now notifying its PSN customers, via a blog posting and via email, that user account information was compromised between April 17th and April 19th, “in connection with an illegal and unauthorized intrusion into our network.”  Sony believes that an unauthorized individual has obtained the following customer information: 

name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

Sony further stated that although it had no evidence that credit card information was obtained, it could not rule out that possibility.   If a customer provided credit card data through PSN or the related Qriocity service, Sony advised that the credit card number and expiration date may have been obtained. 

Sony claims that it will be rebuilding its system to provide better security and has retained the services of a prominent security firm.  As of this posting, PSN remains offline. 

The fallout from this massive breach has already started.  Legislators have jumped into the fray, including U.S. Senator Richard Blumental, who sent a letter chastising Sony’s CEO for the delay in issuing notifications and for not offering to pay for credit monitoring services for 2 years.

Additionally, a Complaint seeking class action status has now been filed in the U.S. District Court for the Northern District of California.  The allegations in the complaint include breach of warranty, negligent data security and violation of consumer rights to privacy.  Unspecified economic damages are sought, as well as punitive damages and other relief.

Originally, it was thought that this incident had the fingerprints of a vigilante hacker group called “Anonymous”, which had taken down several Sony Web sites in recent attacks to protest Sony’s lawsuit against indidvuals that had released software code that would allow 3rd party applications to run on Sony hardware.   Anonymous, or it least one branch of it, has since denied involvement in the PSN incident.  It remains to be seen if individuals related to Anonymous are involved.

In the coming days, we are sure to see further fallout from this unprecedented breach.  Sony will also undoubtedly be subject to probing questions as to the security it had in place and how this incident could occur.