Sony PlayStation Hack: 70 Million Users' Details Stolen

Wednesday, April 27, 2011

Jared Carstensen


Earlier this week, the international leader in the games and online gaming arena - Sony, and their online gaming community - The PlayStation Network were the victims of a targeted and structured hacking and cybercrime attack.

Was this another hack for prestige, or was it a meticulously planned cybercrime? Let’s take a look at the current information available on the incident and what the ramifications could be for PlayStation users.

The PlayStation Network, (otherwise known as the PSN by its online community) is an online multiplayer gaming and digital media delivery service owned and run by Sony Computer Entertainment (The parent company for the PlayStation family).

The PlayStation Network is available for use with the PlayStation 3 (PS3) and PlayStation Portable (PSP) gaming consoles. The last official figures reported were of over 70 million registered PlayStation Network accounts (i.e. users) worldwide, with over 1.4 billion downloads recorded.

Thus making the PlayStation Network no small time processor of information to say the least!

So, what happened, and of utmost importance - how did Sony react?

§  On April 20, 2011, Sony acknowledged on the official PlayStation Blog that they were "aware certain functions of the PlayStation Network" were down. Upon attempting to sign in to the PlayStation Network via the PlayStation 3, users would receive the message indicating that the PlayStation Network was "undergoing maintenance".

§  On April 21 2011, Sony stated they were "investigating the cause" of downtime and that "it may be a full day or two" while also expressing appreciation for their customer's patience.

§  On April 22, 2011, Sony stated that an "external intrusion" had affected the PlayStation Network and Qriocity services (the trading name of Sony streaming music, games etc.).

§  On April 23, 2011, Sony expressed their regrets for the outage and stated they were "re-building our system to further strengthen our network infrastructure". While citing that "the task is time-consuming", Sony also stated that "it was worth the time necessary to provide the system with additional security".

§  On April 25, 2011, Sony's Senior Director of Corporate Communications stated on the PlayStation Blog "Unfortunately, I don’t have an update or timeframe to share at this point in time." further reiterating that the rebuilding of the Network was a "time intensive" process. Sony did not relay any additional information as to the cause or effect of the "external intrusion".

§  On April 26, 2011, Sony published on their Verified Twitter account, PlayStation was "working quickly to get the PSN/Qriocity services back online quickly". Sony further tweeted, "We'll keep you updated", only to recite the link from April 25. Sony commented later that day stating "We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week." Furthermore, Sony stated there was a "compromise of personal information as a result of an illegal intrusion on our systems. Sony's Senior Director of Corporate Communications, stated on the PlayStation Blog commented later that day, "I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today. There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."

On Tuesday 26th April 2011, Sony reported that user data had been taken by the same hack that resulted in the downtime. What Sony should have said was, “The hackers unfortunately got what they came for - i.e. all your information!”

So, what did these criminals get?

The statement from Sony / PSN reads as follows: “name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained”. No small prize when you have 70 million+ of those details!

So, what does this all mean - how did this happen, and surely this could have been prevented?

Sony, The PlayStation Network and other online gaming communities all have a major online presence. The nature of the online gaming community, and its users is enhance their gaming experiences by sharing information, names, addresses, email addresses, birthdays, PlayStation Network passwords and logins.

Sony have stated that it is “possible” that user profile data could have been taken in addition to the other information. User profile data could include; purchases and purchase history, billing addresses and transactions, PSN passwords, security questions and answers, as well as any other information submitted to PSN during the signup or account history.

If we pause for a second and take stock of what this means for those affected: Your name, date of birth, address, billing address and contact details are most likely not going to change - so this information could be as valuable in a year or two to these criminals, as it is now (potentially even more valuable!).

It is also worth mentioning, that most individuals and less security conscious users tend to use the same password(s) for numerous online accounts i.e. email, communities, social networking sites etc. So with the usernames, passwords, email addresses, contact details, and even the “secret” password questions now residing with these cybercriminals, this could hold the keys to so many kingdoms.

Watch this space, as these pieces of the puzzle obtained from PSN will be used to unlock many other doors!

Now, let’s have a look at the security and compliance standpoint of Sony / The Playstation Network - is this their fault? This is an area where opinion will be divided - have Sony done everything they should have done to satisfy security and compliance requirements?

Firstly - Sony and the PlayStation Network would have any number of compliance frameworks and or standards with which they are required to comply or display compliance with. The first such standard coming to mind would be PCI DSS (The Payment Card Industry Data Security Standard - which is a standard developed by a number of the credit card merchants to ensure a suitable level of security is implemented on networks / public facing networks which process, transmit or store credit card information). Taking into account the level of transactions (reportedly 1.4 billion - as stated earlier in this post) even if 10% of all transactions were credit card related - this would still place Sony / PSN as a Level 1 processor and would result in a Qualified Security Assessor and numerous technical assessments against the PCI DSS standard. My feeling would be that Sony / PSN would be audited any number of times a month by a vast array of customers, partners, suppliers and or governing bodies. PSN might well be subjected to other frameworks and compliance frameworks such as SAS 70, and numerous other rigorous tests (I have seen large organizations undergoing hundreds of audits a year!).

All good if they have satisfied those requirements, but further proof that Compliant does not = Secure!

So - who did it? Who targeted the PlayStation Network and made away with a fortune in personal information tokens, and possibly Credit Card info?

Anonymous - the now infamous hacking group denies responsibility for this incident, saying on its site, "While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened”. That is of course if you trust the words of a dedicated hacking group.

The attack has come at a bad time for Sony (as if ever there is a good time to get hacked!) as the release of "SOCOM 4," which is a multiplayer focused action game (and is usually one of its biggest franchises), last week. Add to that the eagerly anticipated "Portal 2," which comes with a co-operative mode and online aspect, also hit store shelves last week — with an integration of Valve's Steam online service into the PlayStation Network being touted as one of the chief reasons to opt for the PS3 version of the game, rather than the Xbox 360 version.

I am sure Microsoft (owners of the Xbox console) will be raising slight smile, with their stock and sales set to gain due to the PlayStation hack.

In summary - the question will no doubts be asked - Was it Sony / PlayStation fault? In my opinion, probably not - but this might change depending on what information / reports are made available, which vulnerabilities or methods used to obtain access to the relevant information and how long it took for Sony / PSN to react.

No question that hindsight is always 20/20 or 100% - and the question I feel will need to be asked by the users, subscribers to PSN, and all those 70 million+ who’s information is now in the hands of a cybercriminals - Could more have been done to protect the information?

And I feel the answer to this would be a most definite YES!

"If you have any suggestions on upcoming articles, please feel free to comment. Be sure to follow both InfosecIsland (@infosecisland) and Jared Carstensen (@jaredcarstensen) on Twitter." 

Possibly Related Articles:
Information Security
Data Loss Privacy Personally Identifiable Information Sony hackers breach PlayStation PSN
Post Rating I Like this!
Lee Mangold I understand that, like most breeches of this size, a lot went wrong. What I don't understand is how any passwords could be compromised. Surely in 2011 a company the size of Sony wouldn't be storing plain-text passwords...right?

Obviously we've seen it before, but I simply don't understand how this practice goes overlooked! When I see a table of passwords (not often), I start to get nervous...not to mention 70M!
Terry Perkins Sony was not PCI compliant!
Terry Perkins @Lance, what do you mean "that is ridiculous". If the credit cards were in clear text: They are not compliant.
Terry Perkins @Lance, I agree completely!
Terry Perkins Wow! I can't believe that.
Robb Reck I guess we need to stop making assumptions that 'big company' equals 'commitment to security.'
Ken Major If I have siad it once, I've said it a million times. Bigger does not mean better in the information security universe. Better = better.

btw - their commentary re: the Internet Community responsibility is very very troubling. If my mon said it to me once she siad it a million times: fix your issues 1st before you even worry about anybody else let alone try and fix it.

Me thinks SONY should spend some extra effort in the 'Lessons Learned' phase of their new incident response program.
Ken Major Untill I read a report that sounds something like "...kicking arse and taking names untill we get our collective heads out of our ...."
That is my bet as well. They appear to have a very bad attitude. Waaaaaaa, we're a victim waaaaaaaaaaa.
Marc Massar @Terry & @Lance I don't see the PSN on the list of compliant merchants - doesn't mean they didn't go through a PCI assessment, but could mean they didn't use a QSA. It also doesn't mean they aren't, or weren't, compliant. According to Sony, they weren't storing clear card data (which is still allowed in any case when you use compensating controls or one of the other protections listed in 3.4), but the PCI DSS isn't concerned with other data elements that did get compromised (birthdate, address, email, etc).
I wonder if Sony is considered a Level 1 merchant and if they are, who's the QSA? Sure, my credit card data didn't get stolen, but everything else that goes with it did. Kind of lame. Maybe the industry needs to think about protecting more than just what's "in scope" for PCI.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.