Sony's PlayStation Network and Qriocity hacked

Payment Card Industry News Payment Card Industry Security Incidents
1

Sony says personal data and perhaps credit card information were stolen from ten s of millions of users of its online game and movie service, as well as its on-demand digital music service

Sony Corp. said hackers had obtained personal data, and possibly credit card information, of tens of millions of people who have registered for PlayStation Network, the company’s online game and movie service, as well as Qriocity, its on-demand digital music service.

“This was a big one,” said Bruce Schneier, security technologist and author of “Beyond Fear” and other books on computer security, referring to the number of accounts and the scope of information involved.
As of March 31, Sony had 77 million accounts for its PlayStation Network service, which links users via the Sony PlayStation 3 video game console to download games and tap into online services such as Netflix’s video streaming service.

										 										 										Not all accounts are active, and it's possible that one person can have multiple accounts.

Hackers who gained access to personal information last week were able to steal names, addresses, phone numbers, user names, birth dates, email addresses and passwords, Sony said. The company said it did not know whether credit card information was stolen.

“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Sony PlayStation spokesman Patrick Seybold wrote on the company’s blog. “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”

Sony last week shut down its PlayStation Network service, saying it had been the target of an “intrusion,” but did not release details until Tuesday.
The delay drew criticism from Sen. Richard Blumenthal (D-Conn.), who fired off a letter to the president of Sony’s PlayStation business in the U.S., Jack Tretton, saying he was “troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.”

“We learned there was an intrusion April 19 and subsequently shut the services down,” Sony spokesman Patrick Seybold said. “We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until [Monday] to understand the scope of the breach. We then shared that information with our consumers and announced it publicly [Tuesday].”

Schneier said such attacks aren’t unusual and that few consumers are permanently damaged from any resulting identity theft.
“This happens a lot, and there’s nothing you can do about it,” Schneier said. “You might be screwed, but you’ll basically be OK.”
Meanwhile, Sony said it plans to get parts of its PlayStation Network back up “within a week.”

                                                                                                                                                                                 By Alex Pham, Los Angeles Times                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       April 27, 2011
2

Cops Arrest Three Anonymous Members Allegedly Involved in Sony Hack

Spanish authorities announced Friday they have arrested three members of the hacking group Anonymous in connection to attacks against Sony’s online Playstation network and other sites.

The police said the three, whose identities were not disclosed, carried out the attacks from a server based in one of the suspect’s houses in northern Spain, Reuters said.

Anonymous, a loose-knit collective of online griefers, has denied that it participated in the Sony hack, but has publicly taken credit for attacks against PayPal, Visa and others because those institutions declined to transmit donations to the whistleblower site, WikiLeaks.

The hack against Sony’s Playstation site forced the company to shutter its online gaming service for more than a month. Sony Chairman Howard Stringer said Anonymous had attacked the websites of several Sony divisions.

Anonymous recently declared Sony a target to protest the company’s lawsuit against PlayStation 3 tinkerer George Hotz. Sony claimed an Anonymous calling card was found on one of the compromised servers.
But Anonymous said last month that “online thieves” have framed the group insofar as the attacks on Sony were concerned.

The Spanish police said that Anonymous was responsible for hacks of government sites in Algeria, Iran, Egypt and Libya, in addition to two Spanish banks and an Italian energy concern.

Authorities in the United States are also probing the group.

By David Kravets @wired.com. June 10, 2011