by Ish PatelPlaystation Network - a free to access service which allows users to play online games, surf the web, download media content was infiltrated by an anonymous hacker. Causing an outage of the network which prevented Playstation 3 and Playstation Portable consoles from playing online through the service. The attack occurred somewhere in a timeframe of April 16, 2011 to April 17, 2011 forcing Sony to shut down the network on April 20. Six days later, Sony then issues a public statement admitting that the PSN has been hacked and an FBI investigation is taking place. They confirm that the customer details of approximately 77 million accounts were compromised. This included personally identifiable information such as account username, password, home address, email and the possibility of credit card data. With a total count of 77 million customers affected, the theft would make this one of the largest data breaches in history.
On May 14, 2011, which is 24 days after the PSN was shut down, Sony released a software update that required all users to change their password when signing into the network. Many users believe that sony took too tong to notify them that their information has been exposed and that did not allow customers to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other actions. A lawsuit was filed against Sony asking for monetary compensation and free credit card monitoring. Sony then explained on Playstation Blog why it took so long to inform PSN users of the theft.
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."
According to some it was suggested that Sony had failed to encrypt passwords. They pointed out that if the provider stores passwords unencrypted, then it is very easy for somebody else, not just an external attacker, but members of the staff to get access and discover the passwords. Sony then admits that although most user information was not encrypted at the time of the intrusion, the passwords were stored using a cryptographic hash function and not in cleartext form.
At the Tokyo press conference on May 1, 2011, Sony reveals its "Welcome Back" program designed to reward customers affected by the outage. Sony offered "selected Playstation entertainment content" for free download on a region by region basis once the service was restored. All existing PSN customers also 30 days free membership of the Playstation Plus service.
To provide greater protection of personal information, Sony has now implemented a variety of new security measures. Tests were conducted with 3rd party experts to test the strength of the network. The new security measures included:
- Automated software monitoring and configuration management to help defend against new attacks.
- Enhanced levels of data protection and encryption.
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
- Implementation of additional firewalls.
No comments:
Post a Comment