[UPDATE] Playstation Network Breach, Credit Data Status
30 Apr, 2011
UPDATE 1: Sony has released another statement on the matter, detailing how the system is being rebuilt from the ground up, you can read it here!
UPDATE 2: A financial estimate from the Ponemon Institute values the damage of the breach, should user data confirmed to have been lost, at $24 billion. Read the Forbes story here!
UPDATE 3: Sony has given reason for the delay to Kotaku, which can be read here. Logrhythm, a UK network securities company, believes that Sony may not be giving the whole story. Their response to Sony’s statement can be read here.
UPDATE 4: The breach has launched a government response on both sides of the Atlantic. Read Connecticut Senator Richard Blumenthal’s open letter to Sony here, one of two sent to the company from US officials. The other, from House Energy and Commerce Committee Chairman Mary Bono Mack, has not been publicly released.
The Playstation Network server outage has now entered its tenth day, and shows no signs of recovery. Worse still, Sony has since confirmed that private user information, such as profile name, birth date, and associated addresses, have been obtained by an illegal third party. The electronics company has since confirmed that while encrypted credit card data was accessed, there is still no evidence to suggest foul play.
Despite Sony’s statement, an Australian PSN member, Rory Spreckley, has claimed to ABC News that he is the first victim of fraud as a result of the hack, losing around $2,000 in unapproved transactions. The report does not seem to correlate with a lack of evidence discovered from major credit card companies like Mastercard and Visa. On the hacker’s side of things, reports from underground forums suggest that those involved in the Network outage have acquired 2.2 million unique card numbers from PSN accounts. This claim comes after several more claims of illegal card use, mostly on German plane tickets and purchases in Japanese stores.
The concerns over privacy have led to a partnership with the United States’ Department of Homeland Security, who, with the Federal Bureau of Investigation, have begun multiple investigations into the matter and the acquisition of possible suspects. Similar investigations have begun with Canada’s Office of the Privacy Commissioner and Britain’s Information Commissioner’s Office.
The question of compensation has have been raised, with Sony so far only offering to “make good” on investments from its MMO players. A recent Q&A posted by Sony hints that the company is “currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.” Hulu Plus, a service offered on PS3, has emailed free one-week vouchers for their product on all other compatible devices for the mean-time (via Joystiq).
The latest information on the hack puts the blame on the custom firmware, Rebug. According to a self-proclaimed moderator of PSX-Scene, the firmware allowed the creation and use of fake credit cards for unlimited potential content downloads. Rebug, released on March 31st, effectively turned a regular PS3 unit into a developer kit in the eyes of Sony’s servers.
George “Geohot” Hotz has issued a sentiment in regards to the attack, saying that “The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts.”
In addition all other concerns the outage has raised, the possibility of serious data loss has been raised by Eugene Lapidous, AnchorFree’s chief architect. Speaking to IndustryGamers, Lapidous laid out a worse case scenario. Sony has since stated that both trophy data and cloud saves are expected to remain intact.
“It’s hard to believe that it’d take [over a week] to restore all data and code from backups, but it could happen if PSN doesn’t have good safety/disaster recovery procedures,” Lapidous detailed, “If service is disrupted due to permanent harm (and no effective backup), Sony may need to admit data loss: old data may never be restored. Time to restore the service becomes the time it takes to admit this fact.”
Content developers for the platform are not happy either. Q-Games’ (Pixel Junk) Dylan Cuthbert spokes on the fiscal effects of the downtime in an exclusive with IndustryGamers. “PSN being out definitely affects our bottom line, but as long as the people who were going to be playing Shooter 2 and other PixelJunk titles will get right back in there playing them when it comes back up we’ll be happy and hopefully income won’t be dented too much,” he said. “Sony has contacted us to let us know they are working as hard as they can 24 hours a day to fully correct and secure the breach,” Cuthbert continued. “Apart from that we don’t know any other information. Fingers crossed they’ll get it up and running very soon.”
IGN has reported that, while no info is currently available for creators of dated content, studios that had games set to debut in the past week is set to receive extra marketing support from Sony once the service comes back online. For some of the higher profile content, like the inFamous 2 beta, studios have either taken the initiative, or been supported by Sony in extending their product’s lifetime. It has since been rumored that Sony has begun distributing new, higher security, PSN SDKs in order to lessen both the amount of development downtime and future security risks.
Alexey Menshikov, CEO of Beatshapers (StarDrone) has also released his company’s plans (in an exclusive with IndustryGamers) to delay their product launch due to the perception that it “might just get lost in the many releases” when PSN re-launches. In regards to his current perception of Sony after the outage, Menshikov stated that, “In the past events with outages, and regarding PS3 hacks, Sony always was confident and helpful, although not immediately.”
“Sony will be helping us retain key focus [prominent placement on the PSN Store] for an extra few weeks as they understand how something like this can affect a small dev studio like ours,” said Paddy Murphy, CEO of Open Emotion (Mad Blocker Alpha). “As it’s our first week in the U.S., I’m sure it will affect sales, but we have to understand that Sony wouldn’t take down the entire PSN on a whim. As long as they can give us some marketing assistance when the PSN is back up, we are sure we will be able to recoup our potential losses.”
Industry securities consultant Michael Pachter has a much more optimistic view of the outtage, saying that this temporary down-time could be better for gamers in the long-run.
“I think they’re really trying to make the system hack-proof, and there appear to have been some pretty serious security issues. They have to keep the system secure no matter what, so being down a few days is worth it if they can ensure security over the long run,” Pachter commented to IndustryGamers. “There will be some short-term pain, but over the long run, gamers will appreciate that Sony is looking out for their best interest.”
Pachter has since issued another statement to IndustryGamers concerning the long-term effects the hack could have on Sony’s bottom line. Turns out, not much.
“Of course, this is bad for Sony’s image, and they have to fix the breach and ensure that it doesn’t happen again, or they will risk losing customers forever, ” Pachter theorized, “I don’t think people switch sides in large numbers based on this, considering that few will really have lost very much at all (two weeks of Call of Duty multiplayer is probably the biggest loss), and to ‘switch sides’ means buying a 360 and paying $60/year for XBL. I think that Sony is in good shape as long as there is not another incident. If there’s another breach, it would be pretty bad…No, I don’t think PS3 sales will be impacted at all. Late adopters are far less likely to care about PSN than early adopters.”
In terms of good news, “Playstation Network” as a Google search item has increased 2,350% over the past few weeks. So…there’s that.
A lot of information to process here, E-Gs, but what are your thoughts on all these new details? Comment below!