The Great Playstation Network Outage
In April of 2011, an external group hacked Sony's PlayStation Network (PSN) and Qriocity music services. From this intrusion, 77 million accounts were stolen which Sony confirmed later contained personally identifiable information, including names and credit card information. The network was down for a total for 23 days before Sony was able to restore full service.
According to Alan Paller, director of research for the SANS Institute, interviewed by CBC News, this breach was one of the top 5 in history.
Sony Computer Entertainment's president of worldwide studios, Shuhei Yoshida, admits that since the 2011 hack, the PSN is continually attacked daily, but the company is working with a third party to better defend itself from these hacking attempts.
In early March 2015, a PSN user had their account hacked and lost $600 in fraudulent purchases. At this time, it does not seem that Sony will be able to refund them the money. This case is still under review.
The Beginning
On April 20, 2011, Sony stated on their blog that they were aware certain PSN functions were down and released a message to users attempting to sign in that the network was "undergoing maintenance." The next, Sony provided another update on their blog that stated it "may be a full day or two before we're able to get the service completely back up and running." It was on April 22 that Sony released the information of the "external intrusion."
However, it wasn't until the 6th day that Sony came forward with the information that personal information may have been stolen and release an official statement about the situation. Of note in this statement is that they were award on April 17 of the intrusion but did not inform the users at this time.
Sony released a series of Q&As on their blog addressing the variety of concerns expressed by their users following this statement.
On April 27, Sony made another public statement as to the reasoning for not informing their customers sooner of the intrusion and the stolen data. In summary, Sony clarified the need to conduct a thorough analysis of the intrusion in order to be able to release the most accurate information to their consumers.
The User Response
During this time, users of the PSN and others, including academics and security experts, were vocal about their opinions of Sony post-breach.
- Gamers fuming over PlayStation hack (CNN Apr. 28, 2011)
- Sony breach 'difficult to excuse' say security experts (BusinessInsider May 3, 2011)
- Official PlayStation forum thread over 500 pages long: Re: Latest Update on PSN Outage
- IGN reflects on the outage 1 year later (April 20, 2012)
The Court Case(s)
There was not only a vocal response, but a suit was filed on April 27th that accused Sony of not more closely protecting its customers' personal data. There were additional court cases from various countries as well. The following articles chart the timeline of the cases.
- Sony sued for PlayStation Network data breach (CNET April 27, 2011)
- Sony faces legal action over attack on PlayStation Network (BBC News April 28, 2011)
- Canadian Law Firm files $1B lawsuit against Sony over PSN Data Breach (Gamasutra May 4, 2011)
- Sony PSN hacking lawsuit dismissed by judge (CNET Oct. 23, 2013)
- Data watchdog fines Sony 250,000(RBP) over PlayStation ID hack (The Guardian Jan. 24, 2013)
- PSN class action settled in Canada, users can claim benefits (Joystiq April 19, 2013)
- Sony drops appeal for ICO-issued 2011 data loss fine (Joystiq July 13, 2013)
- Court approves settlement over Sony's 2011 PSN breach (Joystiq July, 24, 2014)
Service Restoration and User Compensation
On the day that Sony was able to return PSN service, they offered a Welcome Back incentive to all users who signed up before the outage.
This included a choice of four free games as well as 30 days free of the PlayStation Plus premium service. The additional details of this package are listed on Sony's blog.
The court cases also provided users other forms of compensation. In the Canada case, users are able to claim $4.50 in "station cash" for those affected only by the outage. To those who suffered identity theft as a result of the breach, valid claims can receive up to $2500.
For those users located in the United States, Sony offered free "All Clear ID Plus" Identity Theft protection through Debix, Inc.
In an effort to have stronger security going forward, Sony hired Philip Reitinger, ex-director of the United States National Cyber-Security Center, as their new information security officer.
However, not all outcomes of the restoration were positive from a user-standpoint. In an effort to prevent further class-action lawsuits, Sony released an update to their terms of service agreement that all customers must agree to if they wish to continue using online services provided by Sony. In summary, this update states that any user who wishes to file a case must do so on an individual basis.
By the end of 2014, Sony had lost millions due to this breach and others that came later.
Sony's Investigation
In an effort to find those who were behind the breach, Sony brought many teams in to investigate.
- FBI investigating PSN hack; Sony looking into compensating users (ARS Technica April 29, 2011)
- Another team added to Sony's PSN investigation (VG24/7 May 4 2011)
- Sony says "Anonymous" set stage for data theft (Reuters May 4 2011)
A group calling themselves "Lulz Security" was eventually discovered to be the cause behind not only the Playstation Network attack but a series of other hack attacks on Fox network and PBS.
The Guardian released an article chronicling the exploits and eventual capture of LulzSec.
Other Sony Hacking Attempts
The Interview
In the Winter of 2014, Sony Pictures Entertainment was set to release a movie called The Interview, a satirical comedy movie in which a reporter and his agent travel to North Korea to interview Kim Jong-un, and by request of the CIA, assassinate him.
Sony was hacked in November in response to this movie's coming release by a group called the "Guardians of Peace." This attack has forced Sony to delay their quarter one financial report.
Lizard Squad vs PSN
In August 2014, a hack group known as "Lizard Squad" brought down the PlayStation Network as well as Blizzard's Battle.Net and Riot's League of Legends servers. In addition to the digital attack, Lizard Squad also called in a bomb threat against Sony Online Entertainment's boss, Johnathon Smedley.
These downtime was accomplished using targeted DDoS (distributed denial of service) attacks.
Over Christmas 2014, "Lizard Squad" attacked again, bringing down the PlayStation Network and XBox Live for a brief period.
In an interview with a Lizard Squad member, it was stated that they did it just for fun and attention, and that it wasn't that difficult - only three people were primarily involved in the attacks - the youngest of which was 13 years old.
However, some of the Lizard Squad have since been arrested following these attacks.