Sony announced earlier today that gaming division head would make a statement Sunday afternoon Tokyo Time to address the PlayStation Network outage. Kaz Hirai would brief us on the security breach, PSN security measures, and plans to restore service at the conference. What follows are a few points brought up during the conference.
Sony acknowleged again that on April 19, they were alerted of an intrusion on the PSN servers, after which they turned off the servers. On the 20th, they engaged a US security firm to mirror the servers and investigate the system. They determined it was a HIGHLY sophisticated intrusion of one or more users.
They engaged another firm on the 23rd who analyzed a large amount of data to assist in determining what occured in the servers. On the 26th, because they couldn’t rule out the posibility that other data wasn’t taken, they alerted users information regarding this intrusion as well as safeguard.
Information obtained was: Name, address, email address, DOB, gender, PSN and Qriocity login and password. While there was no evidence that credit card data and expiration dates including purchase history and billing addresses were taken, they told users to remain vigilant. They confirmed, however, that 3 and 4 digit security codes have NOT been compromised. Monitoring this data remains their top priority.
They asked the United States FBI to conduct criminal investigations to find out who was responsible for the attack on Sony and their customers. They will share information on the investigation when they have more.
They will be taking actions to stop the recurrence of these actions in the future. They’ve established a more advanced security data center in San Diego. They have a new program in effect for higher security of data including more advanced software monitoring, enhanced data encrypting and monitoring for unauthorized access and acess patterns, and additional firewals. They’ve also created a post exclusively devoted to system security. There will also be a new update that will require users to change their PSN Network and Qriocity password, but ONLY on the same PS3 the account was created or through validated email.
They’re still asking customers to remain vigilant and periodically check their credit card statements. Customers can check their purchase history on PSN and Qriocity services through their Customer Support system. They will be asked to change their passwords upon signing in to this program if they haven’t already.
They are safeguarding customers by informing them that Sony will NEVER contact them through email, or other fashion asking for credit card information or other personally identifying information. While there’s no evidence that credit card data was taken, they will be considering covering the cost of reissuing credit cards in addition to possibly enrolling users in identity protection services.
The Sony PSN “Welcome Back” program” has selected PlayStation entertainment content for free download”, details for each region to be announced soon. They will also receive a complementary 30 day service of PlayStation Plus for existing PSN+ members and new members. Details can be found on the Sony website.
Sony says they have learned from this incident and will further enhane their security. While unrelated, they received a text from internet group ANONYMOUS which, in addition to posting information on members of the company, but their families as well as their schools, and called for sit-ins on Sony stores around the world. They will be working with law enforcement agencies around the world to combat intrusions as well as assure the safety of a “networked society”.
They offered their apologies for this incident, and making services unavailable for an extended period of time, upon which they opened the floor to questions.
-“As of now, you say the ‘maximum 10 million cases’. Is this the maximum cases of information compromise or just relating to credit cards. Also, is it possible to restore services and would this have a long term impact on the company and their services?”
“The number of credit cards stored were 10 million. We cannot rule out the possibility of information compromise, so that’s why we reported on it. In view of ensuring the security of users information, we made this announcement. The US House (of Representatives) have not sent the inquiry to me, but we downloaded the document from the network and we tried to answer the questions in kind. So basically as I mentioned, by the end of a week’s time, we would like to restart our services in order. In the potential impact on our performance, the program to ensure the high security of personal information and also, in some regions, the fee to reissue the credit cards and also various services we offer on PSN and Qriocity and also the services lost…there are MANY factors to take in. We are not in the position to report on this yet and scruitinize the information. We will inform you in full later on.”
“We have not received report that credit card damages have taken place, so it is not possible to assess at this point.”
-“Initially, abnormalaties were reported, how did you receive this report? How were ‘proper actions’ taken?”
“On the 20th of April, when I received teh report, we investigated the incident and saw that it was a VERY sophisticated attack. Weather or not certain data was leaked we weren’t certain. Next question?”
–“The CC data, so far there’s no evidence of compromise, yet some reports are leaking out. How can you be sure? You mention that you were cooperating with authorities, including FBI. Have you reported the damages? Have you taken legal actions like lawsuits? What legal actions can you take? Especially outside the US?”
“The leak of CC data is a POSSIBILITY, we remind you. Which pieces of data was leaked we are still investigating. It is not possible to give you, with any certainty, what is the extent. The numebr of registered accounts is 78 million, but let me add to these words. There’s such a thing as duality where some users create multiple account, so in terms of how many INDIVIDUALS are affected, we surmise that less than 78 million are affected. But for data, it’s 78 million potentially. As for legal action, SCEI is located in the United States, so we’ve asked them in initiating the investigation. But since that, since the investigation has been started, please allow me to refrain from answering further questions. Outside the US, not to my knowledge, other investigating entities have come to us with inquiries and we respond on a case-to-case basis.”
“If there’s information that has been taken out, we can be sure that information has been compromised. But as far as certaintity, we do not have that certaintiy YET. But we cannot rule out the POSSIBILITY, so we make this announcement and post this notice on the website.” “Concerning credit card information, the reason we think the posibility that CC data is lower, the reason is that the information is encrypted and in a seperate part of the database.”
-“About the application servers, you say that there’s the vulnerability of the servers were activated. What kind of vulnerability? A new vulnerability? Was it a patch?”
“The vulnerability was a known was a known vulnerability. SNEI management was not aware of this compromise, so we’re trying to improve this by establishing a Security Information Officer. The specifics? We’d like to refrain from details as that’d lead to more attacks. The firmware update of the PS3, there are various aspects. One of the most visible to the user is connecting to the network will require users to change their passwords. In resuming the services as was mention, we WILL move the data center and strengthen and enforce our measures against unauthorized intrusions and make preparations to start reopening of services. ”
-“About compensation: You said you’ve caused customers inconvenience, services will be given free of charge. You talked of fees to be paid for reissuing credit cards. Any other services contemplating?”
“Fee will be paid by us to reissue CCs. In some regions, private personal data incluing CC data relating to monitoring if illegal use has occured, assurance programs to cover those WILL be issued to use by us. Fees, expenses the customer will be issued and billing, we’d support the customer in the best possible way. As of now, illegal use of credit card has NOT been reported. As of now, to protect this information, we’d like to deploy these programs in region by region.”
-“About your disclosure policy, do you think there’s a weakness there?”
“I’ve given you a timeline earlier: We’ve received the report, we stopped the PSN and Qriocity services to stop the spread. PSN is a large system as you know, so we engaged 3 companies to analyze the situation. At the time, access was made, and this involved a voluminous amount of data. We took this into consideration. As we made certain of the situation, we took PROMPT action. Let me make this point: When we stopped the system required a gradual outage of the system, so more time was needed to actually bring down the system. Again, there was a voluminous amount o f data to analyze, so this in turn provided more inconvenience to the customer, but only to provide them a more assured.”
-“Sony announced their Tablet on the 26. Why wasn’t an announcement made then?”
“I may be repeating myself, but we wanted to be certain of the information before reporting it. A day later, we reported.”
-“What do you think the purpose/objective of this intrusion? It’s unlikely they took CC information, so it’s unlikely it was for monitary purposes? What was the purpose then?”
“For the past month and month and half, we’ve experience various attacks on Sony’s systems. We’ve yet to identify the link with various groups. We’ve yet to link that particular group with THIS attack. There are guesses, but at this point in time, what was the purpose of intrusions and to commit various acts? We aren’t in a position to say one way or the other. Not to say we have no information, we have some, but it’s in the realm of speculation.”
-“You mentioned that passwords were taken out, but aren’t passwords encrypted? If passwords are encrypted, what’s to prevent CC info from being unencrypted?”
“PW and information OTHER than CC information, aside from various security measures taken. However, concerning credit card information, it is on another part of the Database in ADDITION to being encrypted.”
-You spoke of network strategy, you spoke of strengthening and improving. In additon to tablets and other works, you have a lot scheduled. So with the deployment of these programs, will this affect your schedule? Also, what’s the damage currently?”
“Some places are yet to receive PSN services. The Tablet and NG-PSP hinge upon the funcitoning of network to provide excellent customer experience. The situation that has occured and future forces…we have to think long term to take action immediately. First and foremost, netowrk services/products, we have to regain trust and confidence of users by strengthening network technically AS WELL AS communicating to users to improve their experience and providing products like Tablet and NGPSP.” “Tablet and NGP will not change their schedule. As of now, Tablet and NGP, there is no changes from earlier announcements.”
-“Concerning the incidents, if the customers wanted to cancel services or cancel/nullify information, what would you do? Users would not change their passwords when the passwords after, ex: A changed to B, then back to A, would you prevent such an occurance?”
“If customers wish to cancel services of PSN and Qriocity, we WILL cooperate with such in good faith. Regarding changing passwords, I know such concern exists. Therefore, we will take various measures such as notices on website such as taking many possibilities to encourage frequent refresh of passwords. If passwords are used in other online serves are the same, we would discourage customers from such a practice for better protection of information.”
-“Impact on your busineess: You have a company with large-scale network and services, so something like this could have been prevented. how did you prepare, did you have a contingency plan for a situation like this? Have you prepared for hackers? You say you will be taking stringent action on hackers and pirates. What action will you be taking, what message will you send?”
“The PSN has an ECHO system business model. What it has is a lot of software from 3rd parties in addition to 1st party partners. We have to be there to protect intellectual properties and platforms. By assuring such protections, we’ll have the availabilities of such software for our customers. There’s a system in place to come up with new software and new systems. We don’t want these systems undermined by hackers and pirates. We don’t want to see any undermining of the very basic part of this system. So we believe we have to be resolute and stringent to ANY actions taken against us. Before now, Sony and other companies (when it comes to online and server business), leakage of information and illegal access to damage, risk is KNOWN by Sony. We offer many network serves going back from PS2, so it’s always been on our mind to protect information. We have a set of standards to follow to best protect customer information. We’ve been lacking/what’s been lacking with this system in terms of prompt delivery of information to the customers? What we need to do to imrove this system? In the last group, tehre’s been this group named Anonymous who have been repeatedly attacking systems around the world. We’ve been trying to respond to these attacks to best defend against them by employing outside security firms. The recent attacks, we don’t knwo WHO is responsible, but we know they have access to the software and know-how to hack. Information security is priority for Sony, and a situation like this may not be resolved/cleared by Sony alone. Therefore, as we’re living in a networked socity, customers must be able to function. Sony will try to deal with these situation in addition to working with local authorities as there’s serious social ramifications to take into account.”
“One point about passwords, allow me to correct: Passwords are not encrypted but “hashed”. That’s what I meant to say.”
-“Information disclosure was quicker than what we usually see in Japan. Why is this? Also, cracking the root key, what measures have taken place since then?”
“Depending on the region, we carry out blogs. On our website in and outside of Japan, we post on these blogs. In Japan, we like to deploy blogs as we do in US and Europe. SCEJ is looking into this now. Therefore, in the US and in Europe, information is uploaded on a blog. The specific information for THAT region or country can be seen on that blog and may not be seen elsewhere. We’d like to carry the same parts of information. Regarding your second question, because of security, we’re unable to share that. But because of the internet, various cases has to do with a very basic part of our business. To protect the IP of the part of our business, so if there’s any act that should disrupt that part, we should like to take stringent measures to cope with that.”
-“First: Comensation for users, free services, game downloading for 30 days, expenses paid for CCs. Any idea how much this will cost per individual user?”
“For CCs and personal data, services relative to that including comissions to be paid for reissuance of credit cards, that’s one thing. But due to stoppage of network services, some services and content will be offered to compensate them. These are two different things, so I consider them differently. First, as of now, there’s no clear evidence that CC information has been leaked. We have no information to that extend. Improper use has not been reported YET. If there is illegal usage and a customer suffers damage, it will be dealt with on case by case. SCE, PSN, Sony, and Sony Network entertainment; the network strategy of the entire group, I (Kaz Hirai) am responsible for the security of this entire group. That’s why I’m here. We’re trying to find how we can regain the trust/confidence of our customers. Whatever we can do to regain their trust/confidence, I will try our best. For customers to show trust again, that’s MY mission.”
-“You mention for the past 2 months, there have been illegal action and attacks, but still why was there a vulnerability there? Also the US entity managing the services could not identify that?”
“The main approach of the attack was to send a voluminous amount of data to disrupt service on the server. The information obtained on the server would be obtained/spread. Each time the security time throughout the world took various necessary measures. This time, PSN and Qriocity services measured by SCEI thought they had taken measures, but looking back saw that we had room to improve and would like to try and improve on that.” “The cyber attack on Sony by Anonymous, we’ve taken action on a group-wide basis. We have the information to take measures and, on a global basis, we work in teams. We have the information to take measures against certain attacks. It is regretable that this [happened]. This is the review security and services.”
-“Have there been any requests yet of cancellation of services?”
“The systems regarding the 78 million accounts established through registration, there’s no cases of cancellation to subscribe to. Aside from PSN+, there’s no subscription what to cancel from. The user uses a Wallet in the PSN of which they may choose to use. If a user chooses to withdraw, then that can only be the PSN+ monthly subscription, how we refund the remaining unused portion, or the remaining amount in the wallet if there’s any use. We’ll deal with that on a case by case basis. At this point in time, the type of calls we’ve had was to the timing of resumption of services and concerning personal information.”
-“You’ve received inquiries from the FBI. What about police in Japan? Have they contacted you? As well, what’s the yen conversion for free services?”
“Authorities around the world have called and asked us to cooperate with them in regards to hacking and information obtained, so Sony is cooperating with any that ask. Second, cost varies throughout regions so I can’t really comment. But generally, downloading titles, a few thousand yen could be costly. For PSN+, $15-20 could be related to those, but a combination of both could be related to those depending on the region.”
-“Why wasn’t any action taken from the 16th-19th of April?”
“This illegal intrusion, we too the appropriate measures with that as well as having strict surveilance and monitoring. We’re also enhancing security and robustness of servers to cope with that. How to cope with the attacks first, it’s not ability (able) to take action immediately as we must take certain tests/steps first. It takes a combination of measures, not just one measure.”
-“Clarification: How many units have been sold of PSP, PS3, and other services and what’s your respective market share, and how many of those users actually have accounts, same for Qriocity accounts.”
“Latest data…we’ll provide you with the latest data. Because this isn’t a conference on PS itself, we don’t have the latest data with us. As far as PS3, 37 million are actually connected to the network but units are much larger, PSP are 16 million connected to the network, Qriocity is still new (just launched) so numbers aren’t announced yet.”
-“You mentioned the vulnerabilities were attacked and went around firewalls when the attack was made. How did they get through it and how will you improve the data center?”
“As I mentioned, it went through the normal transaction so it went rent through the firewall. It was a very skillfull attack and had a certain tag attached to it. The traditional system could not detect against such an attack. We are taking measures to prevent of the recurrence and we will introduce a further robust security systems. Details I can’t comment on for security considerations. ”
-“During this conference, you mentioned Anonymous several times. What’s your impression on the bearing/relation of Anonymous to this case?”
“During this QnA, mentions HAVE been made to Anonymous, but it wasn’t intended that they be implicated with the LATEST intrustion. In the background of what’s happened recently, I refer to what’s happened in the last few months, not to imply that they directly or indirectly relate to the current situation. Only to provide a backgorund to the current situation.”
“Thank you for being here for this conference, considering especially this was a holiday. Thank you once again for your attendance.”
So to recap: PSN back up “this week”, all PSN members to get free software and 1 month of PlayStation plus free, fees comped by Sony for protecting identity, can’t confirm that Anonymous was a part of THIS intrusion, and they’re going after whoever did this.