Threatscape comment on Sony Playstation Network incident

Threatscape comment on Sony Playstation Network incident
With over 75 million customers potentially affected, ‘illegal intrusion’ could be one of the biggest ever

Dublin, Ireland – April 27th 2011

Background Information

Sony last night confirmed that customer’s personal details may have been compromised after what they are describing as an ‘illegal intrusion’ into their PlayStation Network:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

The affected Sony online services have over 75 million registered users, including 32 million in Europe – 3 million of them in the UK alone. Sony have so far released very limited information concerning the nature of the incident so we do not know how an intruder gained access to Sony’s systems, or just what data was taken, or how many of their 75m+ PlayStation Network and Qriocity customers may be affected. In fact it appears Sony themselves may still be scrambling to determine this (emphasis in bold is ours):

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.

It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.

The fact that Sony have chosen to entirely shut down two high profile and very widely used services – and are ‘rebuilding’ them before making them available to customers again – indicates that the intrusion, and scale of data theft, could be very significant indeed. Even if it transpires that credit card data was not stolen – and from the statement above, it appears Sony currently just do not know whether it was or not - the other personal data taken could be used for malicious purposes.

What does this incident mean for CONSUMERS?

Sony PlayStation network customers will rightly be concerned at the breadth of their personal data which may now be in the hands of an unknown hacker or team of hackers – name, address, password, answers to security questions, date of birth and possibly even credit card details. In this incident, Sony have been vague regarding how many customers are affected or which data has been stolen. It is not even clear if they actually know this – or ever will. Threatscape recommend that users of the PlayStation network take the same precautions which are recommended for all online transactions, including:

Choose carefully which online sites and services you provide personal or financial information to
Do not use the same passwords (or security questions and answers) for multiple online sites. This is important as otherwise an attacker who steals your credentials from one site may be able to access your account on other sites such as email and online banking. If you are a PlayStation network user and used the same password for other online sites, you should immediately set a new, unique and hard to guess password on each other site you use.
Be wary of all unsolicited communication you receive - attackers often use stolen data in authentic seeming ‘phishing’ emails, letters or phone calls which attempt to obtain further details (such as credit card security codes) from victims. Those responsible for this latest intrusion might even send out emails claiming to be from Sony in an attempt to fool recipients into handing over further personal details.
Carefully scutinise your bank and credit card statements for any signs of unauthorised transactions

And as always, before any internet activity you should make sure that your computer is adequately secured – with effective and up to date security measures such as anti-virus and firewall, and the latest software patches from vendors such as Microsoft and Adobe installed to ensure any security holes have been plugged.

What does this incident mean for SONY?

Sony own not only a very large consumer electronics business, but also a record label, movie studio and TV production business. Their CEO has often spoken of a ‘network strategy’ whereby Sony wants to own – and profit from - the customer experience from end to end: producing the ‘content’ customers wish to purchase, transacting its sale, and providing the equipment for its consumption. But they have failed to repeat the success in portable devices of their earlier Walkman, with Apple and their iPod coming to dominate first the digital media player market and then – even more ominously – the online sale of digital content. Not only is Apple’s iTunes Store now selling billions of dollars of digital content, but companies like Amazon and NetFlix are also becoming major forces in that market.

In order to maintain their relevance and profitability in consumer media, it is vital for Sony to leverage their greatest success in the digital home : the PlayStation gaming console and the online PlayStation network which allows gamers to play games online and purchase content electronically. With over 75 million registered users, and services beyond gaming such as online sales of TV shows and movies, this was to be the foundation of Sony’s stated aspiration of growing an online customer base of 350 million ‘networked devices’ with over $3 billion in annual service revenue.

Sony executives will be horrified that such an important part of their digital strategy has suffered a security breach, and will be attempting to minimise the long term damage to their reputation, brand – and the trust and loyalty of customers.

Is the attacker unknown – or ANONYMOUS?

George Hotz is a 21 year old American technology enthusiast (widely known by his online moniker ‘geohot’) who gained notoriety for successful unlocking the Apple iPhone in 2008, and more recently for defeating the allegedly unbreakable security on Sony’s PlayStation 3 gaming console. Sony responded in January of this year by taking legal action against Hotz, resulting in a US court granting them access to the IP address data of visitors to Hotz’s web site (www.geohot.com) and PayPal giving Sony access to Hotz’s PayPal account. Hotz settled with Sony out of court earlier this month, and undertook never to hack any Sony products again.

When the intrusion into the PlayStation network was first acknowledged by Sony on April 23rd, initial speculation focused on a potential link to the Hotz case – and the possibility that the ‘hacktivist’ group Anonymous may have been responsible, striking against Sony just as they had previously targeted multiple organisations such as Mastercard and Visa in a series of actions in ‘support’ of WikiLeaks founder Julian Assange.

But as events have continued to unfold, it now seems increasingly likely that the culprits are cyber criminals motivated by the prospect of financial gain. And with past data breaches estimated at costing affected companies up to $200 per stolen credit card number, Sony could be counting the cost of this incident for some time to come.