Top 10 Influential 2011: Sony's PSN hacking
- 05 December, 2011 11:36
While the tag-teaming antics of LulzSec and Anonymous made many a security news headline during the last year, arguably the repeated hacking of Sony’s PlayStationNetwork (PSN) and Qriocity services was the biggest hack, securing its place in the Top 10 Influential list for 2011.
The story began with Sony closing its PSN and Qriocity online services a day after it discovered that an unknown hacker or hackers penetrated three firewalls to get inside Sony's system and steal data on all 77 million registered accounts. Estimates of the total number of accounts affect range up to 100 million.
The stolen data included user names, e-mail addresses, login IDs and passwords. It was originally feared that millions of credit card numbers had also been leaked, but a subsequent computer forensics investigation failed to find any evidence that the credit card database had been accessed by the attacker
The company revealed publicly two days later that "an external intrusion on our system has affected our PlayStation Network and Qriocity services.”
Hacking group Anonymous said in a statement shortly after that its core had nothing to do with the attack, but the message left open the possibility that individuals from the group might be responsible.
Five days after the initial breach computer security experts called in by Sony concluded a breach of consumer data had occurred when the PlayStationNetwork was hacked. At the time, the company held off on making the announcement until the next day.
It took more than a month and a half for Sony’s services to be restored, with the company stating in June that it had made considerable enhancements to data security, including updating and adding advanced security technologies, additional software monitoring and penetration and vulnerability testing, and increased levels of encryption and additional firewalls.
The company also added a variety of other measures to the network infrastructure including an early warning system for unusual activity patterns that could signal an attempt to compromise the network.
So, while the taking down on Sony’s PSN in particular had a massive effect for gamers around the world, the impact of the story extends much further.
For one, there’s the cost -- Sony said in May that it expected the hack to cost in some US$170 million for its then current financial year. For another, there’s the sheer scale of the attack – some roughly 77 million accounts on the PlayStationNetwork and sister Qriocity service stolen in the first attack alone.
The hacking also exposed the inadequacy of Sony’s security and showed just how vulnerable corporations are: being one of the world’s largest ICT companies is no protection whatever. As a result of the hacking Sony rebuilt its PlayStationNetwork to be virtually hack-proof. The company also created the role of chief information security officer which would report directly to the CEO.
Security companies also weighed in, with NetIQ arguing that Sony should build a security incident response team similar to those used by banks and financial institutions. Sophos argued that customer data – not just credit card details – should be encrypted by default, while Norton said Sony needed to take precautions against the discovery, capture and exfiltration of data.
The hack also prompted a rethink in how the company protects the personal data of its customers.
In August the company announced that its PSN customers would be offered a free year-long trial of a range of CSIdentity's anti-fraud services, with the option to then pay for the service thereafter.
It also prompted the company to issue new terms of service to its North American customers which effectively waived their right to sue Sony for future security breaches. As Sony Australia falls under Sony Europe, local PSN customers were not asked to accept the new terms.
The office of the Australian Privacy Commissioner also investigated the hacking, reporting in September that Sony Computer Entertainment Australia should have acted more quickly to notify customers of the data breach from the hacking of the PlayStation Network and Qriocity platforms in April.
So, do you think the Sony PSN hacking ranks as one of the biggest stories of the year? Comment below on how high you’d rank the story, and what else should be included in the Top 10
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- PlayStation Network hack timeline
- Sony's PlayStation Network (PSN) restored
- PlayStation Network hack will cost Sony $170M
- Sony vows fresh start after hacking
- Can a new CISO improve Sony PlayStation Network security?
- Sony needs an incident response team: NetIQ
- Sony must learn from PlayStation Network attacks: Sophos, Norton
- Sony PlayStation Network (PSN) customers to pay for identity protection?
- Sony PSN Australia customers spared service changes
- Privacy Commissioner clears Sony over PSN hack
Turnbull asks how the NBN got that way
Vodafone launches smartphone app for encrypted calls
Thanks a million, Drupal
Optus goes over the top with VoIP service
Turnbull asks how the NBN got that way