SONY HACKER ATTACK IN 2011
In April 2011, Sony revealed that its PlayStation Network and Qriocity online services had been the victim of a hacker attack and personal data---including name, e-mail address and birth dates and possibly credit card information---from 101.6 million accounts was taken. Some of data contained credit card numbers, debit card numbers and expiration dates, but not the three digit security code on the back of credit cards, from old records of customers in Austria, Germany, the Netherlands and Spain.
The incident represented one of the largest Internet security break-ins ever and was widely covered in the media. Illegal access took place at Sony’s San Diego-based PlayStation Network for online games and Qriocity movie and music distribution services from April 17 to 19. Sony has a three-layer defense system in its database, yet hackers were able to take advantage of a flaw in the application server that operated the server. The hackers broke into the server by making it appear they had an authorized access.
Credit card details of some 27,000 gamers in the Middle East may have been breached by thieves who hacked into the online gaming network. A Dubai-based PlayStation spokesperson said the online gaming network had stored details of around 14,000 credit card holders in the UAE, 12,500 in Saudi Arabia and 500 in Kuwait. Many gamers used pre-paid PSN cards rather than credit cards to access the service. The online gaming network has 1,093,000 account holders in the Middle East with the majority---650,000---based in Saudi Arabia.[Source: Reuters, May 7, 2011]
A Sony spokesman denied a report that a group tried to sell millions of credit card numbers back to Sony. He said while user passwords had not been encrypted , they were transformed using a simpler function called a hash that did not leave them exposed as clear text. Masai Horibe, an expert on information law at the University of Maryland, told the Yomiuri Shimbun, “Many companies have become targets if cyber-attacks and my impression was that even Sony’s security had been broken.” Companies must inform users of the possibility of information leaks quickly.”
Kim Zetter wrote in Wired, Sony first discovered evidence of the breach on its PlayStation Network last April 20, but waited until the 26th to notify PSN customers. The company said it notified customers the day after forensic investigators told it that the intruders had hacked its network and obtained the personal information of more than 75 million customers. This was followed by another breach at Sony Online Entertainment, which compromised an additional 25 million customers, and still more breaches at Sony Pictures and Sony BMG. [Source: Kim Zetter, Wired, October 12, 2011]
More Hacker Attacks on Sony
Sony later suffered attacks on websites in Greece, Thailand, Indonesia and Canada. In June 2011, Reuters reported: “Hackers broke into Sony Corp's computer networks and accessed the information of more than one million customers to show the vulnerability of the electronic giant's systems, the latest of several security breaches undermining confidence in the company. Lulz Security (LulzSec), a group that claims attacks on CIA, FBI, Fox, PBS and the U.S. government, said it broke into servers that run Sony Pictures Entertainment websites. It published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony. [Source: June 3, 2011]
"From a single injection, we accessed EVERYTHING," the hacking group said in a statement. "Why do you put such faith in a company that allows itself to become open to these simple attacks?" LulzSec also said it had hacked into Sony BMG Music Entertainment Netherlands and Belgium and Sony Music Japan. [Ibid]
John Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a nonprofit group that monitors Web threats, told Reuters he was not surprised that Sony's systems had again been breached. "The system was unsecure," said Bumgarner, who last month warned of a string of security vulnerabilities across Sony's networks that he had identified. He said he found vulnerabilities in the Sony Pictures Entertainment network shortly before the attack. [Ibid]
Who Was Behind the Sony Hacker Attack?
The hackers have not been identified, but international Internet vigilante group Anonymous, which had claimed responsibility for previous attacks on Sony and other corporations, denied involvement. The group's statement came after Sony said Anonymous was indirectly responsible for the attack on the company. Before the hacker attack Anonymous had sent a massive numbers of e-mails in an effort to crash the system.
AP reported in June: “Stringer said he believes Sony was attacked because it tried to protect its intellectual property, lending credence to widespread speculation that the moves were meant to punish the company for suing hackers like George Hotz. Known as "Geohot," Hotz broke into the PlayStation 3 operating system and posted the steps online. "These are our corporate assets, and there are those who don't want us to protect them," Stringer said. [Source: AP, July 1, 2011]
Reuters reported in May: “What has bothered some of its customers and made Sony a big target in the hacking world is its practice of clamping down on customers who meddle with its systems,” “Sony sued a famed hacker, George Hotz, this year for copyright infringement and circumventing PlayStation 3's protection schemes. Hotz, who is well known for "jailbreaking," or unlocking Apple Inc's iPhone, said on his blog he was not involved in the break-in.” [Source: Reuters, May 18, 2011]
“The company settled the charges against Hotz on April 11. About a week later, Sony's systems were hacked. Mark Harding, a Maxim Group analyst, said Sony could have employed less severe methods to protect itself from copyright infringement. "There were probably better ways Sony could have done it without being heavy handed," he said.” [Ibid]
Stringer said the attack was likely related to its suit against Hotz but defended Sony's actions."An act was done that was dangerous to Sony, dangerous to PlayStation and we thought it was a criminal act and we had to protect ourselves." Sony is working with the FBI and other authorities to investigate what is being called “a criminal cyber attack. Addressing a report that said hackers had used Amazon.com's servers to launch the attack on Sony, Sony executives said it saw no evidence this was the case.
After the Sony hacker attack a number of arrests of hackers were made although it was not clear whether they were involved with the Sony attack. In Spain several members of the Anonymous group were detained. In a 750-page online “manifesto” Lulz Security it said it staged the attacks of its own entertainment. “You find it funny to watch havoc unfold, and we find it funny to cause it.” the manifesto said. After saying it was going to permanently disband, the group said,”For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others---vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy.”
Costs and Lack of Trust in Sony After the Hacker Attack
The breach damaged Sony’s reputation, put the company in danger of losing customer trust and undermined its online strategy. Sony was criticized for knowing something was up for more than a week before making announcements to the public. Within days after the breach was revealed Sony was being investigated by the U.S. government and by users in Alabama and Michigan.
Reuters reported: “The Internet breaches sparked thousands of comments on the official PlayStation fan page on Facebook, some of them from users who said they would switch to Microsoft's Xbox Live games network. One analyst said security concerns could weigh on sales of Sony gadgets and hurt growth prospects for its network services.” "There is a real concern that trust in Sony's business will decline," Kota Ezawa, analyst at Citigroup Global Markets Japan, wrote. "The network business itself still only makes a small direct contribution to earnings, but we see a potential drop in hardware sales as a concern." The time of the breach was also bad. It occurred just as high-profile games like Mortal Combat and Portal 2 were releasing versions for PlayStation and Microsoft’s X-Box [Source: Reuters, May 7, 2011]
As of June 2011, Sony's stock price has fallen 30 percent, compared with a roughly 6 percent decline in the benchmark Nikkei 225 stock average. The Tokyo-based company estimates the hacks will cost 14 billion yen ($173 million) in increased customer support costs, freebie packages to welcome back customers, legal fees, lower sales and measures to strengthen security. The Ponemon Institute, which specializes in the protection of personal information, initially estimated the whole episode could cost Sony $1.5 billion to $2 billion in investigations and compensation.
Josh Shaul, chief technology officer at New York-based database security software maker Application Security, told AP that Sony was "certainly initially targeted" because of their lawsuit against Hotz. "But the reason hackers were so incredibly successful, I think 20 different times, was that Sony didn't have adequate protection," he said, adding that the company could have done more to protect itself before the attacks started."Information security is not that hard but it takes some planning," he added. [Source: AP, July 1, 2011]
Sony executives reiterated that the attacks have not derailed Sony's core strategy of more deeply connecting its hardware, content and services. "My foremost responsibility to the board and all of you is to further advance the transformation process, firmly establish Sony's position as a global product, content and service leader in the networked digital era and ensure our continued development and growth," Stringer said. [Ibid]
Response to Sony Hacker Attack
Sony was under heavy criticism over its handling of the network intrusion. The company did not admit a serious leak of personal data had taken place or notify consumers of the breach until April 26 even though it began investigating unusual activity on the network from April 19. Sony shut down the network on April 20th, three days after the hacker attack began, but didn’t explain that a possible leakage of data took place until April 26th. to. The company insisted it took that long because it took some time to realize the seriousness of the breach. Many analysts and gamers were skeptical. Messages by posters on the Play Station Network bulliten board were mostly critical.
Sony executives executed the bow of shame when they publically apologized for delays in releasing information about the breach. Sony CEO Sir Howard Stringer apologized to users more than three weeks after the breach occurred. "I know some believe we should have notified our customers earlier than we did. It's a fair question," Stringer said in comments posted on Sony's US PlayStation blog. "I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had - or had not - been taken... To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely."[Source: Reuters, May 7, 2011]
A few days later Stringer was more unapologetic and frank in assessment of Sony’s response. "This was an unprecedented situation," Stringer told reporters, speaking publicly for the first time since the April breach. "Most of these breaches go unreported by companies. Forty-three percent (of companies) notify victims within a month. We reported in a week. You're telling me my week wasn't fast enough?" At a shareholder meeting in June String apologized again. At that time he said that as many as 90 percent of subscribers have come back since the Japanese company began restoring service last month. "Our brand perception, you'll be happy to know, is clearly improving again," he told a less-than-happy crowd.
In mid June, Sony revealed it was aware in late April of the massive scale of the data breach involving its PlayStation Network services but only announced that some information may have been leaked, Kyodo News reported, citing a document released by the Ministry of Economy, Trade and Industry. “The revelation raises the suspicion that the game unit of Sony deliberately attempted to downplay the seriousness of the situation by not fully disclosing information. The Japanese game giant has already been criticized by the U.S. Congress for its slow initial response to the incident. [Source: Kyodo, June 15, 2011]
In response to the crisis caused by the breach Sony launched a data theft insurance policy for its PlayStation Network and Qriocity users. To appease customers and keep them from cancelling their accounts Sony offered free games and gave account holders 30 days of free time on their subscriptions. Sony recommended that users change their user IDs and passwords not only at Sony but with other services in which they use the same password. The company said it would shoulder fees for credit card replacement if customers wished to get new cards.
In late May, Reuters reported, Sony shut down a website set up to help millions of users affected by April's massive data breach after finding a "security hole". The site had been designed to help 77 million users of its PlayStation Network reset their passwords after finding the security weakness. Sony spokesman Dan Race said the company found the security hole on a webpage that could potentially allow the hackers who had taken personal data from users in April to access their accounts using the data they had stolen. "If I had your email and your birth date I could have potentially got access to your account," Mr Race said. [Source: Reuters, May 19, 2010]
“Kim Zetter wrote in Wired, “The company hired Phil Reitinger in September 2011 as part of its efforts to improve the security of its networks in the wake of those earlier breaches. Reitinger has heavyweight credentials in the security community. He was previously Deputy Under Secretary of the National Protection and Programs Directorate and Director of the National Cyber Security Center at the Department of Homeland Security. Before that, he was chief trustworthy infrastructure strategist for Microsoft.[Source: Kim Zetter, Wired, October 12, 2011]
Lawsuits, the U.S. Congress and Payouts Connected to the Sony Hacker Attack
Sony said it expected to face monetary charges from the break-in but was still assessing the damage. "There's a charge for the system being down ... a charge for identity theft insurance," Stringer said. "The charges mount up, but they don't add up to a number we can quantify just yet."
In April U.S. lawyers filed a class action lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data,failure to inform players in a timely fashion that their credit card information may have been stole and deprived customers of the use of the network for an extended period of time.
Sony has estimated that the breaches would cost it more than $170 million this year, including expenses for shoring up its network against future attacks. Sony is looking to its insurers to help pay for its data breach, but others said insurers may balk at ponying up that kind of money. "We have a variety of types of insurance that cover damages. Certain carriers have been put on notice," said Sony spokesman Dan Race. One expert initially estimated the cost of the breach could exceed $2 billion.
Three weeks after the shutdown of the PlayStation Network on April 20, Sony's share price had dropped nearly nine percent to close at 2,241 yen ($28).
Two members of the U.S. House of Representatives sent a letter to Sony, urging it to respond to questions about its security strategy and reveal more details about the data breach. In the letter, Representatives Mary Bono Mack of California and G.K. Butterfield of North Carolina said they had contacted Sony on April 29 but all of their questions had not been answered by the company. The lawmakers asked Sony to respond to questions by May 25.
Sony Restores PlayStation Network
The initial intrusion forced Sony to take its PlayStation Network offline for 40 days. In mid May, AP reported, “Sony began restoring its PlayStation Network service in the United States and Europe after shutting down the service almost a month. Restored operations were mainly limited to online gaming, chat and music streaming services. Sony fully restored the PlayStation Network in the United States and Europe by the end of May. Sony also began a phased restoration of its Qriocity movie and music services which share the PlayStation Network's server. Limited services will also resume in Australia, Canada, New Zealand and the Middle East, and Sony said it will start restoring the service for users in Asia soon. [Source: AP, May 14, 2011]
Kazuho Hirai, chief of Sony Corp.’s PlayStation video game unit, said in a statement that the company has beefed up security measures to protect customers' personal data.At that juncture the partial service allowed users to enjoy video games and online chat, but consumers still could not buy video games or other content by using credit cards.”While we understand the importance of getting our services back online, we did not rush to do so at the expense of extensively and aggressively testing our enhanced security measures,” Mr. Hirai said.
Playstation network and Qriocity were restored in the United States and Europe in late June. The entire system, with Playstation network and Qriocity in Japan being the last part to be fixed up, was fully restored in early July.
LulzSec and the Sony Hacker Attack
A group calling itself LulzSec posted statements online saying it broke into SonyPictures.com and downloaded unencrypted personal information, including passwords, email addresses and dates of birth from 1 million user accounts. It made its breaches public through a fascinating and oddly entertaining Twitter account.
LulzSec group, an offshoot of the online griefer collective known as Anonymous, described the attack and posted customer information online from what appeared to be sweepstakes and loyalty-program databases, including one tied to the long-running soap opera "The Young and the Restless." The group also took information from Sony music operations in Belgium and the Netherlands, it said. "It's just a matter of taking it," LulzSec said in its statement. "This is disgraceful and insecure; they were asking for it."
LulzSec called it quits in June after 50 days of high-profile breaches.
FBI Arrests Suspect in Sony Hacker Attack
In September 2011, according to a report by Wired magazine, a 23-year-old man was arrested in Arizona in connection with the Sony hacker attack. The suspect, Cody Andrew Kretsinger, is believed to be a member of the LulzSec group. [Source: Kim Zetter, Wired, September 22, 2011]
A second unidentified man was arrested in San Francisco the same day in connection with Anonymous cyberattacks on web sites belonging to Santa Cruz County government offices, according to Fox News. Search warrants were also being executed against other Anonymous suspects in New Jersey, Minnesota, and Montana, an FBI source told the news agency. The actions continue an ongoing law-enforcement crackdown against alleged members of the two groups. In July, federal agents arrested 14 suspected Anonymous members on charges of participating in denial-of-service attacks against online payment service provider PayPal. Five additional suspects were arrested overseas---one in the United Kingdom and four in the Netherlands---for related crimes. The U.K. arrest was reportedly of “Tflow”, a former member of LulzSec, identified by police as a 16-year-old male.
The majority of the individuals were allegedly acting as part of Anonymous, which took credit for denial-of-service attacks last year against PayPal, Visa, and Mastercard after the payment service providers announced they would stop processing donations intended for the secret-spilling site WikiLeaks.
As for the latest arrest on Thursday, according to the indictment against Kretsinger (.pdf), on May 23 the Tempe, Arizona resident registered a virtual private network at hidemyass.com using the handle “recursion.” He and others allegedly used the masking service to conduct a SQL injection attack on Sony’s servers and steal data, before announcing the hack on the LulzSec web site and Twitter feed. Kretsinger then allegedly erased his hard drive in an effort to wipe out evidence of the hack. He’s currently facing one count of conspiracy and one count of computer fraud.
More Than 93,000 Sony Customers Affected by Breach in October 2011
In October 2011, Kim Zetter wrote in Wired, Sony announced that hackers broke into the accounts of more than 93,000 customers by trying to log in to Sony using a large list of usernames and passwords. Sony said it believed the intruders collected the log-in credentials from another source, not from Sony’s networks, and were able to gain access to the Sony accounts because customers used the same credentials with their Sony accounts. [Source: Kim Zetter, Wired, October 12, 2011]
“Phil Reitinger, Sony’s new chief information security officer, made the announcement on the company’s blog. He wrote that intruders tested a “massive set of sign-in IDs and passwords” at web sites for several of its properties---Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE). Most of the log-in credentials failed to gain the intruders access, but about 60,000 credentials matched those use by SEN and PSN users; another 33,000 matched credentials for SOE accounts. [Ibid]
“[G]iven that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” Reitinger wrote. He noted that a “small fraction” of the accounts showed activity after they were breached, but that the intruders couldn’t access credit card account information. Sony had since locked all of the accounts accessed through the attack until customers can be notified to change their passwords. “We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet,” he wrote. Reitinger’s quick announcement was a departure from the company’s previous handling of a breach it suffered earlier. [Ibid]
Text Sources: New York Times, Washington Post, Los Angeles Times, Times of London, Yomiuri Shimbun, Daily Yomiuri, Japan Times, Mainichi Shimbun, The Guardian, National Geographic, The New Yorker, Time, Newsweek, Reuters, AP, Lonely Planet Guides, Compton’s Encyclopedia and various books and other publications.
© 2008 Jeffrey Hays
Last updated October 2012