Sony implicates Anonymous in PlayStation Network hack • The Register

PII from all PSN users lifted

“Information appears to have been stolen from all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been stolen,” Hirai wrote. “The criminal intruders stole personal information from all of the approximately 77 million PlayStation Network and Qriocity service accounts.”

On April 26, Sony first warned users of the data theft.

Investigators have determined that the intruders issued commands that probed the compromised systems for user data related to their email addresses and other PII. The investigators have also “seen large amounts of data transferred in response to those queries.” So far, there are no “confirmed reports of illegal usage of the stolen information.”

Investigators have seen no server queries for credit card data, and credit card issuers have yet to report any fraudulent transactions believed to be a direct result of the security breach.

In all, 12.3 million PSN accounts contained data from credit cards, some of which may have been expired. About 5.6 million of the accounts belonged to people located in the US.

Hirai outlined several steps Sony is taking to improve security, including the naming of a new chief information security officer, who will report to Sony's chief information officer. The company also plans to relocate its PSN systems to a “new data center in a different location with enhanced security.”

Sony will also provide US-based users with “complimentary identity theft protection services,” and hinted at giving users in other countries a similar offering.

Hirai's account didn't provide crucial details about the encryption and cryptographic hashing used to secure credit card numbers and passwords respectively. If the hashing followed security best practices, the passwords would have been converted into unique text stings that would be impossible for the typical attacker to reverse. Encrypting credit card data could also go a long way to securing it, provided the private key wasn't also exposed.

The account also makes no additional references to Anonymous, a group that is best known for its capacity to DDoS, and on rare occasion, remotely compromise, the systems of people and companies whose policies the group opposes. There is no evidence Anonymous has ever engaged in hacking for profit.

Various people claiming to be Anonymous members have issued conflicting communiques, with some warning Sony it would soon experience the wrath of Anonymous and others disavowing any involvement in the Sony DDoS attacks.

Hirai's letter didn't address the seeming contradiction.

“What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes,” he wrote. “Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point.” ®

This article was updated to report additional details.

Customer Success Testimonial: Recovery is Everything

COMMENTS

House Rules Send Corrections

All Reader Comments (96)

Highly Rated

Posted Wednesday 4th May 2011 20:22 GMT

Will Godfrey

Bullshit

If it were at all possible Sony would have just gone down further in my estimation.

I don't for one minute think that Anon. had any connection with this. It's just not the way they work.

What is far more likely is that a criminal gang was already preparing for this attack, and found the Anon. DDOS a convenient smokescreen. Obviously they'd think of leaving a 'note' behind to muddy the waters further. One could argue they wouldn't be very {ahem} professional if they didn't!

In reality Sony is responsible for their own lax security - has a certain familiarity doesn't it?

Posted Wednesday 4th May 2011 20:23 GMT

Chad H.