2011 PlayStation Network outage

The 2011 PlayStation Network outage (sometimes referred to as the PSN Hack) was the result of an " external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to turn off the PlayStation Network on April 20. On May 4, Sony confirmed that personally identifiable information from each of the 77 million accounts had been exposed. The outage lasted 23 days.

At the time of the outage, with a count of 77 million registered PlayStation Network accounts, it was not only one of the largest data security breaches, but also the longest PS Network outage in history. It surpassed the 2007 TJX hack which affected 45 million customers. Government officials in various countries voiced concern over the theft and Sony's one-week delay before warning its users.

Sony stated on April 26 that it was attempting to get online services running "within a week." On May 14, Sony released PlayStation 3 firmware version 3.61 as a security patch. The firmware required users to change their account's password upon signing in. At the time the firmware was released, the network was still offline. Regional restoration was announced by Kazuo Hirai in a video from Sony. A map of regional restoration and the network within the United States was shared as the service was coming back online.

Prelude

Sometime In March 2010, Sony had released a firmware update for the PlayStation 3, which had patched functionality to use 3rd Party Operating Systems, such as Linux, on the System. This had caused outrage in the System's modding community, as the 3rd Party Operating Systems were used frequently in modification.

On January 2, 2011, George Hotz had successfully jailbroke the PlayStation 3 firmware. A day later, he had started distributing the jailbreak through his website.

On January 11, 2011, Sony had filed a lawsuit against Hotz, for distributing software to jailbreak their systems on his website.

On April 2, 2011, a group of hackers claiming to be Anonymous, had declared "Operation Sony". Later the same week, On April 11th, Sony had dropped the lawsuit with Hotz.

On April 13th, the group had released a video in text to speech, calling for "A day of Sony Protest".

Timeline of the outage

On April 20, 2011, Sony acknowledged on the official PlayStation Blog that it was "aware certain functions of the PlayStation Network" were down. Upon attempting to sign in via the PlayStation 3, users received a message indicating that the network was "undergoing maintenance". The following day, Sony asked its customers for patience while the cause of outage was investigated and stated that it may take "a full day or two" to get the service fully functional again.

The company later announced an "external intrusion" had affected the PlayStation Network and Qriocity services. This intrusion occurred between April 17 and April 19. On April 20, Sony suspended all PlayStation Network and Qriocity services worldwide. Sony expressed their regrets for the downtime and called the task of repairing the system "time-consuming" but would lead to a stronger network infrastructure and additional security. On April 25, Sony spokesman Patrick Seybold reiterated on the PlayStation Blog that fixing and enhancing the network was a "time intensive" process with no estimated time of completion. However, the next day Sony stated that there was a "clear path to have PlayStation Network and Qriocity systems back online", with some services expected to be restored within a week. Furthermore, Sony acknowledged the "compromise of personal information as a result of an illegal intrusion on our systems."

On May 1 Sony announced a "Welcome Back" program for customers affected by the outage. The company also confirmed that some PSN and Qriocity services would be available during the first week of May. The list of services expected to become available included:

On May 2 Sony issued a press release, according to which the Sony Online Entertainment (SOE) services had been taken offline for maintenance due to potentially related activities during the initial criminal hack. Over 12,000 credit card numbers, albeit in encrypted form, from non-U.S. cardholders and additional information from 24.7 million SOE accounts may have been accessed.

During the week, Sony sent a letter to the US House of Representatives, answering questions and concerns about the event. In the letter Sony announced that they would be providing Identity Theft insurance policies in the amount of US$1 million per user of the PlayStation Network and Qriocity services, despite no reports of credit card fraud being indicated. This was later confirmed on the PlayStation Blog, where it was announced that the service, AllClear ID Plus powered by Debix, would be available to users in the United States free for 12 months, and would include Internet surveillance, complete identity repair in the event of theft and a $1 million identity theft insurance policy for each user.

On May 6 Sony stated they had begun "final stages of internal testing" for the PlayStation Network, which had been rebuilt. However, the following day Sony reported that they would not be able to bring services back online within the one-week timeframe given on May 1, because "the extent of the attack on Sony Online Entertainment servers" had not been known at the time. SOE confirmed on their Twitter account that their games would not be available until some time after the weekend.

Reuters began reporting the event as "the biggest Internet security break-in ever". A Sony spokesperson said:
*Sony had removed the personal details of 2,500 people stolen by hackers and posted on a website
*The data included names and some addresses, which were in a database created in 2001
*No date had been fixed for the restart

On May 14 various services began coming back online on a country-by-country basis, starting with North America. These services included: sign-in for PSN and Qriocity services (including password resetting), online game-play on PS3 and PSP, playback of rental video content, Music Unlimited service (PS3 and PC), access to third party services (such as Netflix, Hulu, Vudu and MLB.tv), friends list, chat functionality and PlayStation Home. The actions came with a firmware update for the PS3, version 3.61. As of May 15 service in Japan and East Asia had not yet been approved.

On May 18 SOE shut down the password reset page on their site following the discovery of another exploit that allowed users to reset other users' passwords, using the other user's email address and date of birth. Sign-in using PSN details to various other Sony websites was also disabled, but console sign-ins were not affected.

On May 23 Sony stated that the outage costs were $171 million.

Sony response

US House of Representatives

Sony reported on May 4 to the PlayStation Blog that:

Sony relayed via the letter that:

Explanation of delays

On April 26, 2011 Sony explained on the PlayStation Blog why it took so long to inform PSN users of the data theft:

Sony investigation

Possible data theft led Sony to provide an update in regards to a criminal investigation in a blog posted on April 27: "We are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible."

On May 3 Sony Computer Entertainment CEO Kazuo Hirai reiterated this and said the "external intrusion" which had caused them to shut down the PlayStation Network constituted a "criminal cyber attack". Hirai expanded further, claiming that Sony systems had been under attack prior to the outage "for the past month and half", suggesting a concerted attempt to target Sony.

On May 4 Sony announced that it was adding Data Forte to the investigation team of Guidance Software and Protiviti in analysing the attacks. Legal aspects of the case were handled by Baker & McKenzie. Sony stated their belief that Anonymous, a decentralized unorganized loosely affiliated group of hackers and activists may have performed the attack. No Anons claimed any involvement.

Upon learning that a breach had occurred, Sony launched an internal investigation. Sony reported, in its letter to the United States Congress:

Inability to use PlayStation 3 content

While most games remained playable in their offline modes, the PlayStation 3 was unable to play certain Capcom titles in any form. Streaming video providers throughout different regions such as Hulu, Vudu, Netflix and LoveFilm displayed the same maintenance message. Some users claimed to be able to use Netflix's streaming service but others were unable.

Criticism of Sony

Delayed warning of possible data theft

On April 26 nearly a week after the outage, Sony confirmed that it "cannot rule out the possibility" that personally identifiable information such as PlayStation Network account username, password, home address, and email address had been compromised. Sony also mentioned the possibility that credit card data was taken—after claiming that encryption had been placed on the databases, which would partially satisfy PCI Compliance for storing credit card information on a server.
Subsequent to the announcement on both the official blog and by e-mail, users were asked to safeguard credit card transactions by checking bank statements. This warning came nearly a week after the initial " external intrusion" and while the Network was turned off.

Some disputed this explanation and queried that if Sony deemed the situation so severe that they had to turn off the network, Sony should have warned users of possible data theft sooner than on April 26. Concerns have been raised over violations of PCI Compliance and the failure to immediately notify users. US Senator Richard Blumenthal wrote to Sony Computer Entertainment America CEO Jack Tretton questioning the delay.

Sony replied in a letter to the subcommittee:

Unencrypted personal details

Credit card data was encrypted, but Sony admitted that other user information was not encrypted at the time of the intrusion. ''The Daily Telegraph'' reported that "If the provider stores passwords unencrypted, then it's very easy for somebody else – not just an external attacker, but members of staff or contractors working on Sony's site – to get access and discover those passwords, potentially using them for nefarious means."
On May 2, Sony clarified the "unencrypted" status of users' passwords, stating that:

British Information Commissioners Office

Following a formal investigation of Sony for breaches of the UK's Data Protection Act 1998, the Information Commissioners' Office issued a statement highly critical of the security Sony had in place:

Sony was fined £250,000 ($395k) for security measures so poor they did not comply with the British law.

Sony Online Entertainment outage

On May 3 Sony stated in a press release that there may be a correlation between the attack that had occurred on April 16 towards the PlayStation Network and one that compromised Sony Online Entertainment on May 2. This portion of the attack resulted in the theft of information on 24.6 million Sony Online Entertainment account holders. The database contained 12,700 credit card numbers, particularly those of non-U.S. residents, and had not been in use since 2007 as much of the data applied to expired cards and deleted accounts. Sony updated this information the following day by stating that only 900 cards on the database were still valid. The attack resulted in the suspension of SOE servers and Facebook games. SOE granted 30 days of free time, plus one day for each day the server was down, to users of ''Clone Wars Adventures'', ''DC Universe Online'', ''EverQuest'', '' EverQuest II'', ''EverQuest Online Adventures'', ''Free Realms'', ''Pirates of the Burning Sea'', ''PlanetSide'', '' Poxnora'', '' Star Wars Galaxies'' and '' Vanguard: Saga of Heroes'', as well as other forms of compensation for all other Sony Online games.

Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada and Avner Levin of Ryerson University criticized Sony, questioning its methods of securing user data. Lapidous called the breach "difficult to excuse" and Wisniewski called it "an act of hubris or simply gross incompetence".

Reaction

Compensation to users

Sony hosted special events after the PlayStation Network returned to service. Sony stated that they had plans for PS3 versions of DC Universe Online and Free Realms to help alleviate some of their losses. In a press conference in Tokyo on May 1, Sony announced a "Welcome Back" program. As well as "selected PlayStation entertainment content" the program promised to include 30 days free membership of PlayStation Plus for all PSN members, while existing PlayStation Plus members received an additional 30 days on their subscription. Qriocity subscribers received 30 days. Sony promised other content and services over the coming weeks. Sony offered one year free identity theft protection to all users with details forthcoming.

Hulu compensated PlayStation 3 users for the inability to use their service during the outage by offering one week of free service to Hulu Plus members.

On May 16, 2011, Sony announced that two PlayStation 3 games and two PSP games would be offered for free from lists of five and four, respectively. The games available varied by region and were only available in countries which had access to the PlayStation Store prior to the outage. On May 27, 2011, Sony announced the "welcome back" package for Japan and the Asia region (Hong Kong, Singapore, Malaysia, Thailand and Indonesia). In the Asia region, a theme - ''Dokodemo Issyo Spring Theme'' - was offered for free in addition to the games available in the "welcome back" package.

5 PSP games are offered in the Japanese market.

Version of ''Killzone Liberation'' offered does not offer online gameplay functionality.

Government reaction

The data theft concerned authorities around the world. Graham Cluley, senior technology consultant at Sophos, said the breach "certainly ranks as one of the biggest data losses ever to affect individuals".

The British Information Commissioner's Office stated that Sony would be questioned, and that an investigation would take place to discover whether Sony had taken adequate precautions to protect customer details. Under the UK's Data Protection Act, Sony was fined £250,000 for the breach.

Privacy Commissioner of Canada Jennifer Stoddart confirmed that the Canadian authorities would investigate. The Commissioner's office conveyed their concern as to why the authorities in Canada weren't informed of a security breach earlier.

US Senator Richard Blumenthal of Connecticut demanded answers from Sony about the data breach by emailing SCEA CEO Jack Tretton arguing about the delay in informing its customers and insisting that Sony do more for its customers than just offer free credit reporting services. Blumenthal later called for an investigation by the US Department of Justice to find the person or persons responsible and to determine if Sony was liable for the way that it handled the situation.

Congresswoman Mary Bono Mack and Congressman G. K. Butterfield sent a letter to Sony, demanding information on when the breach was discovered and how the crisis would be handled.

Sony had been asked to testify before a congressional hearing on security and to answer questions about the breach of security on May 2, but sent a written response instead.

Legal action against Sony

A lawsuit was posted on April 27 by Kristopher Johns from Birmingham, Alabama on behalf of all PlayStation users alleging Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back online." According to the complaint filed in the lawsuit, Sony failed to notify members of a possible security breach and storing members' credit card information, a violation of PCI Compliance—the digital security standard for the Payment Card Industry.

A Canadian lawsuit against Sony USA, Sony Canada and Sony Japan claimed damages up to C$1 billion including free credit monitoring and identity theft insurance. The plaintiff was quoted as saying, "If you can't trust a huge multi-national corporation like Sony to protect your private information, who can you trust? It appears to me that Sony focuses more on protecting its games than its PlayStation users".

In October 2012 a California judge dismissed a lawsuit against Sony over the PSN security breach, ruling that Sony had not violated California's consumer-protection laws, citing "there is no such thing as perfect security".

In 2013 United Kingdom Information Commissioner's Office charged Sony with a £250,000 penalty for putting a large amount of personal and financial data of PSN clients at risk.

Credit card fraud

, there were no verifiable reports of credit card fraud related to the outage. There were reports on the Internet that some PlayStation users experienced credit card fraud; however, they were yet to be linked to the incident. Users who registered a credit card for use only with Sony also reported credit card fraud. Sony said that the CSC codes requested by their services were not stored, but hackers may have been able to decrypt or record credit card details while inside Sony's network.

Sony stated in their letter to the subcommittee:

On May 5, a letter from Sony Corporation of America CEO and President Sir Howard Stringer emphasized that there had been no evidence of credit card fraud and that a $1 million identity theft insurance policy would be available to PSN and Qriocity users:

Change to terms and conditions

It has been suggested that a change to the PSN terms and conditions announced on September 15, 2011, was motivated by the large damages being claimed by class action suits against Sony, in an effort to minimise the company's losses. The new agreement required users to agree to give up their right (to join together as a group in a class action) to sue Sony over any future security breach, without first trying to resolve legal issues with an arbitrator. This included any ongoing class action suits initiated prior to August 20, 2011.

Another clause, which removed a user's right to trial by jury should the user opt out of the clause (by sending a letter to Sony), says:

Sony guaranteed that a court of law in the respective country, in this case the US, would hold jurisdiction in regards to any rules or changes in the Sony PSN ToS:

References

{{PlayStation

2011 crimes
PlayStation
Network
PlayStation Network
Network
Sony Interactive Entertainment
2010s internet outages

da:PlayStation Network#PlayStation Networks nedbrud 2011