back to article User data stolen in Sony PlayStation Network hack attack

Sony is warning its millions of PlayStation Network (PSN) users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. The stolen information may also include payment-card data, purchase history, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    When (&& if) they catch the a-holes responsible...

    ...I say castrate them. Not only have they exposed my personal information, but they are denying my right to use the hardware I bought.

    Which reminds me: that sounds a bit like the argument that OtherOS-loving hardware-hackers like to throw around. Well, if they are to blame (and it might very well *not* have been them), then I say they are hypocrites.

    1. sT0rNG b4R3 duRiD
      Megaphone

      The *REAL* Arseholes

      While I completely agree two wrongs do not a right make... I think the real arseholes here are those who do not hash passwords and encrypt credit card information.

      You still trust them?

      I say boycott Sony.

      Do a real DOS on them (Denial of Sales).

      I feel for the victims of the hack (Sony's customers). Not Sony.

      1. jake Silver badge

        Boycott Sony? Too late ...

        The only bits of Sony kit here on the Ranch are ancient. One is a 32" Trinatron, bought new by me in 1988. It's also the only TV in the house ... and likely the last one; we probably won't replace it if it ever dies ... no real need, it's almost never turned on. The remote is cob-webbed to the top of the TV, I couldn't tell you when one of us last watched television. TV is a vast wasteland, probably the only bigger waste of time is playing video games. The others are also from 1988 ... 20" DDM monitors that are attached to various pieces of old Sun kit. Yes, 2048x2048 in 1988 :-)

      2. DrXym

        Who says the passwords were not hashed?

        Until Sony summarize how the data was stolen, speculation regarding the manner it was done is just that - speculation. Perhaps they did comply with credit card regs, perhaps they do use strong password hashing and all the rest. All of which would not matter if the hack was someone in their datacentre walking out the door with a backup tape, or a disgruntled employee with a working login.

        Yeah they've been bitten hard but maybe people should wait to receive the explanation of events before leaping to conclusions.

    2. David Hicks
      Flame

      Sorry but WT-holy-F?

      Might very well not have been? Might very well not have been?

      Why the hell would you think that people hacking their hardware would be in any way involved in this in the first place?

      Seriously, are you that warped in the head that you equate people gaining control over their own hardware with stealing millions of user details and (potentially) credit card details for the purposes of fraud?

      Hell, even the most pirate-y of console hackers isn't interested in massive data theft and fraud.

      Sony failed to secure their systems. The fact that passwords were even stored on their systems (instead of secure, salted hash values) is a huge failure in itself.

      The ability to penetrate and compromise Sony's server infrastructure is entirely separate to breaking client-side security, it is also unambiguously criminal. This is absolutely nothing to do with custom firmware, homebrew or piracy.

      1. Anonymous Coward
        Anonymous Coward

        Data and Hardware

        The people who have stolen all this data are not the ones who originally hacked the hardware. Nor are they the "Anonymous" collective.

        Sony allowed this type of data to be transmitted to developer machines. The hacked PS3's put themselves into the same mode so that the data is being sent to them. That is how this whole thing has happened. If Sony wasn't leaking the data to developers in the first place none of this would happen.

        All the hardware hackers have done is given them a platform for which they could access the data on. Either way this data could have been leaked somewhere else.

    3. Jake Rialto 1
      FAIL

      PCI / DSS Standards Anyone???

      If the credit card numbers were stolen because they were not obfuscated / truncated (only display first six, and last four characters, the rest are hashed out), then Visa International and Mastercard may take them to the cleaners.

      Now they may have been obscured, but if the hashed data and the truncated data was accessible and could be linked, it can still be recovered.....and Visa and Mastercard will be after them again.

      The PCI DSS standard has this requirement.

      Primary Account Number (PAN)

      Storage Pemitted = Yes

      Render Stored Account Data Unreadable per Requirement 3.4 = Yes

      Wouldn't like to be in their QSA / Information Security / IT auditors shoes right now tbh.

    4. garotte80

      I agree to an extent

      I don't think the public will agree with castration. I do however think enough people are affected that the hackers responsible for this should receive the death sentence. They have gone too far and an example needs to be made.

      1. Anonymous Coward
        Anonymous Coward

        "an example needs to be made."

        Out of Sony.

        For having incredible wealth and resources, and yes technical expertise, but failing to provide their users with even the most basic protection possible. (Can you imagine that internal Sony accounts are lying around unencrypted on public facing servers?). If they can design the Cell processor (lol and what an over-engineered heap of crap that is) then they can damn well read an "Idiots guide..." to basic security practices.

        1. Anonymous Coward
          Thumb Down

          @AC 13:53

          And how do you know they were public facing servers? For all we know, the account database servers were internal and not connected directly to the internet. Perhaps they hacked a server that was public, and then worked their way into the network from there. Not unheard of.

          But no encryption is unforgivable.

    5. we are all ignorant

      Actually...

      ... you are the hypocrite. You want to be able to use the system you paid for? How does it feel? Wimper more.

      1. Anonymous Coward
        FAIL

        @we are all ignorant

        I'm not too concerned about the delay. LittleBigPlanet 2 and Killzone 3 are plenty of fun offline. But, the idiots who threw a tantrum over OtherOS: THEY can "Wimper more". After all, I'll be back online in a week or two. They will be waiting *a whole lot longer*. Your name really says a lot about you.

  2. Nathan 13

    title

    Couldn't have happened to a nicer company HAHAHAHAHA serves you right assholes!!!!

    1. Anonymous Coward
      FAIL

      idiot

      It's not the company that's affected in the first instance - it's the users - who only want to play games... And, having worked (and played against) some of the bigger companies on the planet, I don't think Sony is the worst for stopping people hacking their hardware.. Grow up

      1. Gangsta
        Stop

        @ AC 01:13 ^

        Aha, but what about the potentially massive loss to Sony's reputation?

        That is one thing they DO deserve. If customers suffer then Sony (morally should) be liable.

        I have been a Sony PS fanboy for years before this, but now I'm drifting away.

        a)because of the Removal of the OtherOS feature (I didn't use it that often, but it was the principle and the attitude of Sony)

        b)They sued Playstation hackers. These guys only unlocked it to support homebrew. Not piracy. You could say that they contributed to enabling piracy, but did THEY enable piracy?

        c) Because of this potential loss of crucial data. They haven't stored the details securely, that 77 Million or so users have entrusted them to do. They have shown a horrendous disregard to their users.

        You could add d) PSN has been down for 7 days, but I don't use the PSN: I was once a user, but homebrew was too tempting.

    2. Anonymous Coward
      FAIL

      OK

      Seems the American Shitebox360 owners have woken up. Who wants to bet money that when the feds bust down the doors of those responsible, it will be some spotty 16 year old American Xbox owner...

      I'd be willing to bet money on that right now.....

      Microsoft's brainwashed soldiers.

  3. Mystic Megabyte
    FAIL

    Oops!

    Shit -> Fan x 70 million!

  4. Combat Wombat
    Coat

    Bwa hahahah !

    I fell off my chair laughing when I saw this.

    Their crap-tastic security was mentioned last year at the CCC in Germany.

    Rather than fix it Sony chose to release the lawyers.

    Nice to see how that worked out.

    Mines the one with the Xbox Live cards in the pocket

    1. asdf
      FAIL

      Only so much one can do

      What you expect Sony to secure their own systems? That takes resources. Resources better spent devising draconian drm (spore drm sony invention) and illegal rootkits to punish your paying customers. Sad even control freak apple understands drm unsustainable. Sony last big company not to get memo.

      1. Daniel 1

        They suspected their customers were stealing from them

        So they allowed their customers to get robbed.

        I feel this must ultimately be the fate of any company that sets their business up, on a premise of "Our customers are thieves." The only people who end up having to sit through endless messages about the evils of piracy, are the people who actually bought the product.

        (I like to imagine the Sony motor car: you put the key in the ignition, and this racy music starts up and a stern voices starts saying things like ''You wouldn't steal a DVD... You wouldn't steal a handbag..." Of course, ideally, this system should be completely bypassed by someone hot-wiring the car.)

  5. Bill Neal
    FAIL

    ironic

    sony forces hackers to play offline

    hacker(s) force sony to play offline

  6. Ben Alderson
    FAIL

    Fail

    That's asuming that whoever stole my password doesn't log in first when PSN comes back up and change my password.

    I suppose Sony could change all passwords and email users with new ones that require a reset as soon as you log in, but if anyone used the same pass for PSN and their email then...

    Can't believe it's taken so long for Sony to notify users of what has happened. This is a major screw up, I'd like to see the ICO take action against them for this. Bastards.

    1. Adam T

      unless your surname is Aardvark

      Then again, I expect the servers will collapse under the weight of millions of people all trying to log in all at once when they do come back up again.

      Sigh of relief here as I've had a new c.card since I last paid for something on PSN. Still not happy to hear Sony are stupid enough to store other personal info unencrypted also.

      Oh well, we live and learn. Trust is such an easy thing to lose...

  7. nozafc
    Happy

    Karma

    Could not have happened to a nicer company

    1. DZ-Jay

      Actually...

      It did not *happen* to Sony, it happened to the thousands of users who set up an account in the PSN, and whose only transgression was the desire to play games.

      -dZ.

    2. DrXym

      Yeah serves them right

      Imagine them manufacturing a games console (competing against several others) and providing a free online service. What evil heartless bastards.

  8. Anonymous Coward
    FAIL

    Thanks Sony!

    For telling us this six days too late. :|

    1. Jake Rialto 1
      Pint

      Don't fret

      TJ Max kep the lid on their data breach for three months.

      In fairness, the US Secret Service told them to keep mum over it.....

  9. This post has been deleted by its author

  10. Bill Cumming
    FAIL

    Data might not be stolen...

    ...According to reports a custom firmware for the PS3 is in the wild, making slim consoles in to "developers" consoles.

    This gives them access to the PSN Developers network as well as the main PSN,

    The upside was being able to bypass checks on games and a few other security hurdles.

    But they found a bug (or major FUBAR) where creditcard details are not checked to see if the user owns it with simple name/account check (or even if the card number was a valid one e.g. 16x1's would work.)

    Letting people with this firmware but anything they liked on the PSN.

    1. Gulfie
      FAIL

      And your evidence is?

      Having sniffed around for related information, all I can find is a bunch of speculation and no hard facts - i.e. independent verification by a white hatter of the claims that Rebug does indeed provide unfettered access.

      I'm not saying you're wrong, but you can't make these assertions without providing a source that independently confirms them.

    2. Gulfie
      FAIL

      ... and another thing ...

      If Sony were in the position you suggest they are, nobody in Legal or PR would have suggested spinning a 'firmware cracked, dev network hijacked' story as a 'massive data theft affecting every PSN user, possibly including credit card details'.

      At least chesh420 (the handle of the original poster at reddit) has the decency to say, at the start and the finish of his post, that he is SPECULATING.

    3. Andy Fletcher

      Sure..but

      All those accounts that did that got themselves suspended and rightly so. Just hover around the official Playstation forums to witness a deluge of twats who stole from the PSN store and are complaining they got caught out.

    4. The Alpha Klutz

      I AM SPECULATING

      Sony run a secret Ice cream parlor on Mars. They only let certain customers go there for free ice cream which is TOTALLY UNFAIR.

      Some of the customers hacked in to the Martian Mother Computer and discovered a new flavour of ice cream based on chocolate. Again this is only a rumor at this point but if the queen is a reptilian shapeshifter then god help us anything is possible.

      I spoke to Sony's PR company and they can confirm that I will be on the next shuttle up there for free ice cream and blow jobs. I asked about the possible existence of chocolate ice cream and the line went dead.

      Several minutes later a military contractor phoned me back and told me in no uncertain terms that I love Raspberry ice cream not chocolate ice cream. Then a high pitched tone pierced my ears and I realised that this is in fact true, I do love Raspberry ice cream exclusively.

      I AM SPECULATING

  11. Anonymous Coward
    FAIL

    hopeless

    Considering their continual failure to secure the ps3 console against cracker

    Attacks...a battle that really opened up when they

    Stupidly removed the otheros feature (the final fallout

    Of that move is still to be seen) I can't see how anyone can

    Trust their ability to secure PSN. Sony are on a big slippery

    Downward slope into every messy brown lake ...

    1. Anonymous Coward
      Stop

      (untitled)

      Was that your attempt at writing a Haiku, or at justifying the actions of those who oppose Sony's removal of Other OS? Either way you've failed.

      1. Aaron Em

        I'm guessing...

        ...it is the result of using a crummy phone browser with text fields that "helpfully" produce hard line breaks and auto-capitalization.

        1. Anonymous Coward
          Go

          I

          was more joking about the Haiku.

  12. Fisher39
    FAIL

    I do look forward to...

    Carole's opinion on this. Wonder how the young chappie is going to get the XBox angle in?

    1. Dante
      Thumb Up

      hehe

      Is this a Playstation exclusive?

  13. Anonymous Coward
    FAIL

    Here we go again...

    Yawn...

    Change your password(s) move on. I don't see what the big deal is.

    1. asdf
      FAIL

      Sony will

      Customers eventually learn. Sony got lucky with ps1&2. Now they are the sega of consoles. 1 maybe 2 generations until they pack it in.

      1. lurker

        @asdf

        I think you'll find that Sega were the Sega of consoles.

    2. Steven Raith
      Stop

      The big deal is...

      That 95% of the users on PSN have probably used the same password on there as they use for every other secure site they have access to.

      This is stupid, but they are users - it'll happen.

      If you can't see the massive significance of this, you're either blind, stupid, or both.

      Never, ever trust Sony - full stop.

      Steven R

      1. Charles 9

        You might as well say...

        ...never, EVER trust ANYBODY.

        Not even YOURSELF.

        Because humans are both fallible and capable of exploiting others' mistakes. You can't trust online transactions because your account can be hacked. You can't trust credit cards because the clearinghouses can be cracked. Hell, even cash can be vulnerable to supernote counterfeiters.

        1. Tony S

          Welcome to the world of security

          Many years ago as a (very) junior manager, I was told by an ex-Chief Super of the Met that there are only 3 types of people in the world. The SAD, the MAD and the BAD. Everyone falls into one of these 3 categories.

          I argued with him, but he insisted that one day I would understand. Some 30 plus years later, I absolutely hate to admit it, but he was 100% correct. To quote Lex Luthor "People are just no damn good"

      2. Aaron Em

        Passwords are stigma of our fathers' sins

        "Users are stupid for not using passwords properly" is satisfying, if you like that sort of thing, but also small-minded, smug, and rather pointless.

        "Passwords are stupid for not living up to requirements" is much more accurate -- 'requirements', of course, defined as how the thing's actually going to be used in the real world.

        Of course, I don't have any particularly clear idea for what could replace them, nor would I be able to meaningfully implement it if I did. So I do the best I can and just don't allow users to set their own passwords; they complain about it for thirty seconds, then remember their browser or mail client will store it for them and forget they thought it was a problem. The occasional crack about difficult passwords I can easily bear in exchange for systems which aren't infested by every petty criminal in the world who can get to an Internet cafe.

    3. David Hicks

      Credit Card details

      Sony are not sure at present if CC details have been compromised. Other info certainly has. When someone has your -

      username

      password

      real name

      email address

      street address

      credit card details

      Would you not agree there's a lot of scope for negative effects? If this were just your username and password then it wouldn't be as big of a problem.

      Also - good luck logging in to change those.

      1. Anonymous Coward
        FAIL

        Funny that

        My number 1 rule with this sort of thing is never use valid info unless you really have to.

        I registered my details as 123 fake street, London. With a fake postcode & name and haven't had any problems buying things. The only info they have on me is my CC details, I'll be cancelling those cards today.

        However, I'll never use PSN again, except for demo downloading, 98% of the stuff on there is complete shite anyway.

        1. johnnytruant

          Oh hai

          I also live at 123 Fake Street, London.

          Could you pick up some milk on your way home?

          1. Anonymous Coward
            Alert

            Howdy neighbour.

            It was an old address anyway, My main residence is now 124 Fake St.

            I just phoned the bank and stopped my card. They said that official word was that they didn't think the hackers had the 3 digit security codes but had everything else (which I guess includes the rest of the cc details), they said that an increasing number of people were stopping their cards for the same reason. Better to be safe than sorry.

            Where is the fail of the year icon?

    4. The Fuzzy Wotnot
      FAIL

      Oh I get it!

      "Change your password(s) move on."

      'Cos that will magically get the details back from those thieving sods who nicked them! All that dodgy data will instantly vanish from all the storage devices when the PSN users all over the world change their passwords!

      What are you, a putz?

    5. Anonymous Coward
      Anonymous Coward

      The big deal is

      That my card is suddenly maxxed because some hacker a-hole has used it to buy access to pr0n.

      Seriouslhy, So far my account is fine. The same cannot be said for a member of a forum I'm in.

      http://forum.lowyat.net/topic/1853070/+100

      A-hole hacker took his card and make random random pharmaceutical purchases in the US and lavish purchases in South America.

      Sony has crossed the line in the past, yes. But now these hackers have crossed the line. If I ever see one entry in my next bill for something I didn't buy, someone's going to get hurt. Bad.

      1. Aaron Em

        "...someone's going to get hurt. Bad."

        Quit trying to flex and put that mirror down before you hurt yourself with it.

  14. SilverWave
    FAIL

    Karma

    Bad Sony.

  15. Steve Evans
    FAIL

    Passwords?

    For passwords to be stolen, Sony must be storing them, which in security terms is a total fail.

    Sony, you *never* store a password, you store a hash of the password, preferably from a known and trusted algorithm which you initially seed with a secret phrase to prevent those pesky rainbow lists from allowing a reverse.

    Amateurs.

    1. Anonymous Coward
      Thumb Up

      Hmmm

      I think what you mean is that you store a salted hash of the data. You probably want your hashing algorithm to be deterministic or it is a little useless, thus 'seeding' it makes very little sense. You also don't want your salt to be constant for all users as that makes generating the rainbow tables easier.

      Of course, you can seed the algorithm which generates the salt. Then you store the salt and the password in your database. When given a password to check, take the password, add the salt, hash the result. Compare hash with hash and you are a winner.

      On compromise you have revealed still revealed the salts (Boring data, could potentially allow rainbow attacks) the hash (boring data, could potentially allow rainbow attacks).

      Now for users with bad passwords you have a problem. Computing the tables for a set of common passwords with the salt added will probably get you good results - but it will only get you the password for one bad user. Of course the argument here is that if you are checking a small set of common passwords for one specific user then you are in a no better position than you were before compromising the database.

      Summary,

      Find good random function: generate salts.

      Teach users to make good passwords: add salts to passwords.

      Find secure hashing function: Hash salted password.

      Try not to mess up database security: Store salt, hash.

      (Sony, that will be £100,000 kthx)

      1. Steve Evans

        @Hmmm

        Yes, you are quite correct sir... I should stop posting at 4am!

  16. ohzero
    Grenade

    The website / PCI?

    Newsflash guys: Sony's website has nothing to do with PCI. PCI applies to the entire cardholder environment, IE - anywhere the data resides. So, if someone stole a printout of subscriber data from the trash bin and used it illicitly, it's still a violation of PCI. There are several cardholder databases inside Sony's NP. If any single one of them was compromised, its a violation of PCI.

    Here's the funny part: They werejust starting their PCI audit. Welcome to the forensic assessment fun, Sony.

    Good job SL. You know who you are and you know you need to be shitcanned.

    1. Anonymous Coward
      WTF?

      Just starting?

      How in the world were they only just starting? I was putting a system in last year at a membership organisation and the fucking hoops we had to go through was a complete nightmare. We did it, we conformed and I learnt a lot but there were deadlines on getting it done, we are well past that, how can they have only just been bloody starting?

      I seem to recall that the penaltys could be very severe, one of which was the credit card companies banning them from taking credit card payments. I guess that won't be used on Sony, just reserved for the little guys...

    2. Anonymous Coward
      Anonymous Coward

      pci nightmares

      I took over running a system a few years back for a fairly major company, the first thing I did was to map the database (whats stored where & why) since there was no documentation at all for the system. what I found was in excess of 400,000 complete credit card details all tied neatly to complete details of the owners (by complete I mean card No, start date, expiry, CVN, full name, full address, telephone No, email address, password, date of birth and secret question / answer) dating from 6 years to 10 seconds in age with no encryption of any sort.

      the table in question had been put together for debugging problems with the payment system and had never been removed once the problems were fixed

      my first job was to nuke that table and the routines that wrote to it, followed by taking a full backup of the system and destroying all previous backups (since they still held the card details).

  17. Anonymous Coward
    FAIL

    A question...

    "was likely...unhashed and unencrypted on its servers..."

    What evidence is there to support this? How is this "likely" considering that if similar encryption methods have been broached so could the hash/encryption method?

    I do agree, the handling of this whole situation by Sony has been poor and ill-managed. Their blog would have you believe that they are following best practice when even in what they've provided there is conflicting information. For instance the discrepancy on whether this kicked off between 17-19th April or on the 19th April and the 'red button' response being taken on the 20th. This coupled with market-talk and vague hints at best has been far from pleasing.

    I can understand that in a security situation cards need to be held closely, but this is too far. This combined with the only pitch of "we regret" and "we appreciate" when they're not telling customers the main thing they should be, which is ultimately "we're sorry"; above and beyond marketing spiel it should've been the first thing said. I was appalled at the audacity of 'encouraging' customers to be extra vigilant about their data and the data they give out when they themselves have caused such a blunder with their handling of customer data.

    Insult has been added to injury with the FAQ that they posted, the wording being somewhat unattached from the fact that it was their fault this has occurred. Even along with the pay-per-minute phone lines of generic customer service. The US (and I will point out Patrick Seybold didn't mirror this on the EU blog) blog also followed up with a clarification, seemingly from the response, contradicting the FAQ (the 17tth-19th vs. 19th April), not addressing when they realised consumer data was being compromised.

    tl;dr Part of the issue is a lack of information on Sony's part, and how they're handling their communication; especially in my opinion a lack of an apology.

    1. John G Imrie

      Why "we're sorry" are the hardest words to say.

      Sony won't say that they are sorry until their lawyers tell them they can.

      Their lawyers wont let them say sorry because to do so can be taken as an admission of guilt and would allow the legal flood gates to open.

      Sony's first call of duty is to maximize shareholder value. If they can do that by not apologizing then they won't apologize.

  18. Aaron Em

    Fukushima: the real story

    "Fukushima: the real story"

    PSN has been down for something like a week now, ostensibly as a result of an attack from outside in which much user data was also compromised. That's the company line, and taken individually, each part of it is true; there was a successful attack, PSN is in fact damaged and offline, user data was indeed compromised.

    It's only when these statements are added up together that they become a remarkably insidious lie, one in which these events are all presumed to follow one upon another without any particular interval or delay. Sony would very much like that everyone should assume this to be true; in fact, I strongly suspect they're so invested in maintaining their corporate fiction that they'll completely ignore this comment and any others like it for fear of substantiating them through denial.

    In fact, the attack and compromise of user data took place very early in March, most likely on or very near the first of the month. (This may possibly be the result of the attackers intending what might have been the ultimate fuck-you of April Fool's jokes, but getting the month wrong due to a catastrophic misunderstanding of the International Date Line.) Sony, of course, was aware of the attack at the time it occurred, and very shortly thereafter became aware of the massive compromise of user data.

    But it also occurred to them to note that the attack had been very competently done -- so competently, in fact, that it left the operation of the PSN infrastructure entirely undisturbed. This being the case, Sony recognized an opportunity for some extremely detailed and thorough long-range planning, a true corporate masterstroke of which people ten generations from now would speak in tones of hushed awe.

    Which brings us, of course, to Fukushima. At this point the evacuation zone surrounds the plant to a diameter of twenty kilometers. This is necessary, we're told, because the reactor incident has resulted in some hot spots of short-lived but highly active isotopes, and their existence poses a hazard to human health in the period before they've been safely disposed of -- not to mention the difficulties in cleanup produced by having a bunch of people tramp their careless clodhoppers right through the mess and track it every which way.

    This, again, is what we've been told, and what we are intended to believe -- just as we're intended to believe that the earthquake and tsunami, by themselves, would have sufficed to produce the level of damage seen at Fukushima. It is of course a testament to the conservative nature of engineers that the beleaguered old plant stood up as well as it did under such an onslaught; it must, however, be considered, that, just as with the 2001 destruction of the World Trade Center supposedly at the hands of terrorists, such engineering *should* have been able to withstand all of the force to which it was exposed on 11 March, and much more besides.

    Which brings us, of course, right back to Sony. It's a little-known but very real fact that Sony and TEPCO have partnered in a venture known as Sustainable Green Power Corporation -- and, as we all know, there is no practicable method of energy generation more green or sustainable than nuclear reactors designed and operated with safety precautions far more stringent than those employed by the outmoded, profit-driven existing nuclear industry. Put simply, Sony could not be more deeply involved in every level of TEPCO's nuclear operations. Beyond a brief consideration of the degree of access which such a close cooperation might offer undercover Sony operatives to the aged and vulnerable infrastructure of the Fukushima nuclear plant, little more needs to be said on the subject.

    "But," you might ask, "why? Why on Earth would Sony even for a fraction of a second entertain such a bizarre and benighted idea as that?"

    Don't you see, that's the simplest part of it all! Sony has got to know that they are going to get their asses absolutely sued into the ground over this, and depending on the magnitude of the resulting disaster, it may well destroy their console business entirely for much or all of the decade just now beginning. This is especially true in light of the fact that they're not letting on anything happened until a month and a half after the fact -- which, of course, explains the nearly-week-long outage, because after all they had to give themselves *some* excuse, didn't they? They couldn't risk trying to keep it secret forever, not when any morning might see the news story about the ten thousand people who all had PSN accounts and all had credit card fraud happen at exactly the same time.

    So the question we need to be asking is, simply, this:

    How big an army of lawyers can you fit in a 20km radius? Because I'm pretty sure that's how many Sony is going to use.

    1. Marky W
      Grenade

      tl;dr

      see title

    2. Anonymous Coward
      Anonymous Coward

      Wow!!

      I've witnessed the birth of a paranoid conspiracy theory.

    3. David Hicks
      Alien

      +1, Absolutely Mental

      Would read again. You might want to work Obama or (for old-skool fun) Bush into there though, for maximum impact/paranoia.

    4. Adam T
      Pint

      have a skol

      Very nicely done sir :)

      1. Aaron Em

        Cheers mate!

        It's nice to be appreciated. :)

    5. Fisher39

      Deranged?

      Cor blimey. Sony having the power to unleash an earthquake and tsunamai to cover up a minor security cock up.

      There's definitely a Playstation exclusive in there.

  19. Jolyon Smith
    Coat

    Don't trust your bank!!!

    I mean, you put your money in there and then they go and let themselves be held up and let thieves run away with your money!!!

    !!! CASTRATE THE BANKS FOR BEING SO LOOSE WITH YOUR MONEY !!!

    (or perhaps castrate the thieves who robbed the bank? I dunno, it's just an idea)

    Mines the one with the rational sense of perspective in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      I am not a title I am a random sequence of letters - stop reading me

      The thieves don't run away with your money. They run away with the banks money, You don't lose a penny.

      And unless you have written your name, address, card and bank details on the £10 you deposited the thieves wont know anything about you and so can not target other accounts you have.

      1. Anonymous Coward
        FAIL

        You don't lose a penny?

        Ever think of where the banks get their money?

        Here's a clue, next time you see an interest raise hike, or a set of bank charges on your statement, think about how it's only the *bank's* money being stolen.

        Twit.

        1. Anonymous Coward
          FAIL

          @AC 11:59

          I think you're the twit.

          If your local branch of your bank gets held up and the money gets stolen, do the bank debit it from your account??

          No? Well then, you haven't lost any money then, have you.

          Yes, the banks get their money from you, but no they don't expect you to pay for theft from the bank.

          They do, however, expect you to pay if your debit / credit card is used fraudulently, if they can prove you were at fault.

          1. Anonymous Coward
            FAIL

            No, I'm not a twit

            > you haven't lost any money then, have you.

            You really failed mathematics 101, didn't you.

            Every penny a bank has it gets from its customers. Every penny stolen from a bank is ultimately debited to its customers, as interest and fees.

            Sure, if someone steals $10K from my account I personally don't necessarily lose all $10K in one go, but you can be damn sure that every one of the banks 10K customers is going to lose $1, every time. Every crime against a bank costs its customers money.

            Where the hell else would the money come from, you think it grows on a money tree in the bank's back garden??

            Twit.

  20. Mark Lawson
    FAIL

    Possible new slogan?

    IT

    ONLY

    REVEALS

    EVERYTHING

  21. LinkOfHyrule
    FAIL

    Hahaha

    At this rate, LittleBigPlanet 3 will be a third party Wii 2 game!

    Twats

  22. Anonymous Coward
    Anonymous Coward

    Oh goodie...

    ...they've got my debit card details. Yes, debit. Though while I feel a plonker for that, the knowledge that it, and my password, were possibly being stored in plaintext is infuriating.

    If anything comes of this release of my details, I'll be asking Sony to pay for the mess.

  23. Martin Maisey
    Thumb Down

    Incompetence

    This simply should not have been possible, and even if it was it is completely unacceptable they still don't know what's gone and what hasn't.

    What was Sony doing storing sensitive information like date of birth, address, security questions and answers, and possibly c/card details on online servers where the data could be exfiltrated?

    For some of this (e.g. DOB) there is simply no reason at all to keep this accessible on Internet connected servers - just categorise the user into age bands and punt the data somewhere offline, then periodically update through a one way batch update when they change into a new age band.

    Other data (e.g. C/card details, security answers etc) should have been stored between a double layer of firewalls from different vendors, with carefully controlled access to minimal required logic (e.g. execute this transaction, check this security answer) with application level firewalls that alert on any unusual activity and logging of every single packet on the network to something like a LogLogic monitoring appliance.

    This should have been required to get through their PCI DSS compliance. Some hard questions need to be asked of Sony executive management, their security team and their PCI auditor.

    And I cannot believe that with this level of incompetence, they are not even offering free credit monitoring to those that want it.

  24. bitmap animal
    Stop

    Sony didn't steal the user data, thieves did

    It's all too easy to blame Sony for this theft. I don't know what levels of security they had, but like anything if someone is determined they can break in and get what they want. Someone made a conscious decision to break in and steal from Sony, never forget that.

    As an analogy say if demonstrators decided to blockade Tesco distribution depot then some people broke in and stole things, would that mean Tesco are rubbish or just mean there are demonstrators and criminals out there.

    How would you feel if someone broke into your home/business and stole from you. Would you be saying you deserved it because you didn't have Fort Knox level of security around your piggy bank?

    1. Mad Mike

      bitmap animal.

      You're quite right in what you say. However, if you leave your front door wide open, place all valuables within the hall and leave your car keys handily available for a quick getaway, you might not get so much sympathy. Most insurance policies require you to take reasonable care and to not be negligent in their terms. That's why cars stolen from petrol stations with the keys in are not paid out (generally). Insurance companies don't cover cretinous stupidity.

      In this case, Sony are guilty of stupidity of epic proportions. Yes, they didn't steal the data, but they did act negligently in their handling and storage of the adat and therefore shouldn't complain. If they'd only lost their own data, they would look stupid, but could ignore it. Having lost millions of peoples data, they look so negligent it defies belief and should not be taking the high handed approach they appear to be showing at the moment.

      1. DrXym

        @Mad Mike

        Your analogy fails because you do not know they left the door wide open or put valuables in view or anything else of that nature. It may be they had relatively good security but it was defeated by sophisticated means. It certainly appears to be the case that their intrusion detection / forensics aren't up to much given that they don't know what data was stolen or even if it was.

    2. Juillen 1

      More like..

      Tesco decided to put such onerous searches at the checkouts (cashiers going through your pockets etc.) and refusing to take all credit cards apart from Tesco validated ones, and stop taking cash.. Then some people work out a way to make the self scan accept their regular credit cards, or cash.

      Later, someone works out a way to elevate this and utilise it to force Tesco networks to send off all the data (including credit card details that Tesco stored in plain) to some nice remote place where it could be harvested.

      Your analogy doesn't quite fit the general shape of what happened.

  25. Arse Face

    Bollocks

    The public in general will also end up being punished for this as the banks slip in charges to pay for the replacement of all of those millions of credit/debit cards that have been cancelled & replaced by Sony's users.

  26. Mad Mike
    FAIL

    Corporate Stupidity

    This shows just how stupid and arrogant a company can be. This is the equivalent of constantly annoying the biggest lad in the class and then wondering why they turn round and punch you. Rootkit scandal (should have been prosecuted), removal of OtherOS from PS3 etc.etc. Well, the biggest lad has now turned round and punched you. What will Sony do? Blame everyone else. In reality, they've brought this upon themselves in many ways. It will be interesting to see if the data is actually used criminally or not. I have a suspicion it won't be. This would almost prove it to be hackers who are simply giving Sony a bloody nose. No intention of using the data retrieved.

    Of course, this should instantly result in Sony being unable to take credit cards anymore. That'll never happen though. Credit card companies haven't got the guts. Just the same as the previous rootkit should have resulted in several execs going to jail, but it didn't.

    1. DrXym

      Er

      I see so, a "rootkit" (though in actuality a horribly misguided attempt at DRM) that appeared on a couple of CDs years ago and was withdrawn is the reason they deserve to be hacked now? Utterly pathetic reasoning.

  27. Anonymous Coward
    FAIL

    SonyFail

    They seem to be careless in their choice of programmers in general. I've just installed a utility (PCCompanion) from the SonyEricsson side of the business. Spybot promptly pointed out that it was trying to install BaiduBar spyware. If that's the level of customer quality control they have on their consumer software, it doesn't surprise me that their in-house stuff is even worse.

    Pity, they used to be a company worth doing business with.

  28. Anonymous Coward
    FAIL

    Qriocity

    Phew, talk about "dodging the bullet" - I once considered signing up to Qriocity on our Sony Blu-ray player, but thought better of it.

    And whilst I'm recycling tired old clichés: when I think of the "cloud" sites where they have my personal info and card details (thankfully not too many), it feels like I'm "waiting for the other shoe to drop"...

    Epic FAIL, and no mistake. If I'd ever considered a PS3, I'm not now.

  29. Anonymous Coward
    Anonymous Coward

    er...

    Great. So how about some helpful advice sony? Apology? Freebie to keep me interested in the PSN/PS3?

    ...yeah, thought you wouldn't

    Anyone else up for a retalitory litigation? Remove my other OS, loose my data! *dons pirate hat* Argh!

  30. irish donkey
    FAIL

    Can we have the discussion about...

    how important client side console security is again and how hard Sony fight to ensure a level playing field for their customers.

    Guess its one rule for client side and a different rule for them

    Remember kids hacking your console kills babies.

    So glad I'm not a Sony customer

  31. Bez
    FAIL

    WTF

    “When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password”

    Hang on. They "recommend you change your password"? Sothey're going to bring the system back up with the exact same passwords that are in the hands of the hackers, rather than suspend the accounts and send out randomly generated single-use passwords via email on request once the system's back?

    *SRSLY?*

    Have I missed something or are they completely mental?

  32. Anonymous Coward
    Thumb Up

    Aw, Poor Sony

    Oh I do feel sorry for them (hehe).

  33. Anonymous Coward
    FAIL

    So

    when Sony Entertainment America gets sued for breaching information protection laws will they then claim that they are a separate company from Sony Japan ?

  34. Anonymous Coward
    FAIL

    For starters

    Anyone know who Sony's bank is?

    Sounds like they've breached the PCI DSS and it's time to send in the auditors.

  35. Gary Holcombe
    FAIL

    Unbelievable

    Who do I feel more angry towards. The little twats who have wrecked PSN for the rest of us and stolen my details, or Sony for letting them do it so easily.

    I just cant believe Sony would store so much personal user information in this way with no encryption.

    1. Highlander

      Apart from wild Internet speculation and BAD journalism, who said it was unprotected?

      Seriously, I am getting extremely tired of this constant ignorance.

      No one anywhere has stated, indicated, admitted or revealed that passwords and CC detailed were stored in an unencrypted format. Not one single time has anyone said that. Yet I read story after story where the journalist essentially states it as fact, it is not fact.

      Passwords are stored as hashes and CC numbers are encrypted. If someone manages to penetrate a online commerce system and gains access to user and CC information, that doesn't mean it was stored in plain text. It means they got the information as it is stored - in hashes and encrypted formats. Yes usernames and such may be in plain text, but the CC details and password are not.

      That said, if someone has the capability and sophistication to breech PSN to that degree, it's likely they also have the ability to reverse weak passwords and possibly decrypt the CC details. Either way, It's true to say that the attackers may have had access to the CC information, but that doesn't mean they have it in a decrypted format. Just as it's true to say that if password data was accessed along with user information, it's possible that some passwords could be revealed after some work by the attackers to reverse the weaker passwords. Even with the best encryption and hashing techniques, the very fact that a password can be verified by comparing it to the hashed value means that the hash can be calculated to perform a match, and so it's possible for an attacker to obtain the password using a brute force attack on the password hashes. The same is true for the CC data. Even if it was stored in a strongly encrypted format, the fact that it can be used for transactions means that it has to be possible to decrypt the CC number and other information. Once again, that means it's possible - however unlikely - that an attacker could obtain CC details from the encrypted data with the correct attack and sufficient time.

      Since these things *are* possible and it's essentially impossible to 100% guarantee the security of a password or CC number, what Sony have said is perfectly correct. The data has been accessed, and perhaps some or all of it has been copied. But, that does *not* mean that the data has been decrypted and used by anyone at this time, nor does it mean that it will be easy for the attackers to do so.

      But come on, with stories like this in The Register and all over the net right now basically claiming that Sony stored these things in an unprotected manner, what will people believe? the truth - as boring and inexact as it is, or the simple accusation that Sony didn't protect the data properly? At this point it wouldn't matter if Sony had used the best available methods for password hashing and cc encryption or not, people will still believe that Sony failed to protect their data.

      Of course it's also fashionable in tech circles to hate on Sony and yet another feeding frenzy is in progress right now. So this will fall on deaf ears, as people with some inherent bias take out their personal frustrations in life on Sony.

      I prepare to accept the collected downvotes of the Eye of Moron now. After all, I not only used fact, reason and sense, but even suggested Sony is not to blame. Shocking.

      1. Black Betty
        FAIL

        Given all the personal data, the CC is easy.

        Assuming you are correct and encryption/hashes are used, the ONLY thing which might be beyond compromise is the account password itself.

        But either way is doesn't really matter, because of the information richness of the material which WAS exposed. What of "secret questions and answers"? how are they protected? Are they protected at all?

        With Name, Address, DOB,and all the other people readable identifiers, it would no great task convince the issuers to send replacement (or duplicate) cards directly to the hackers.

  36. Anonymous Coward
    FAIL

    The class action suit could be the end of Sony

    The epic fail of this story staggers belief.

    ALL personal data from 70+ MILLION users has been compromised. Think what this means in terms of scale of impact.

    Most users will have re-used their email address and password in many place. Yes - I know they shouldn't, but we all do it!

    But the revelation of DoB, credit card details and secret questions is a Fail of epic proportions.

    Fuckers.

  37. MJI Silver badge

    Banks are busy

    Phoned up to suspend the card.

    All calls that morning were from PSN users.

    I am using PSN cards from Tesco from now on!

  38. trafalgar
    Pirate

    Sony vs Hackers

    Sony: We sue you Geohot, take that!

    Geohot: Ok, I settle, I no hack you Sony!

    Sony: Ahahaha! Come on then you Hackers - if you think you're 'ard enough!!! It is Sony that RuleZ!

    Hackers: ...98...99...100% - copying complete!

    Sony: Doh!

  39. shade82000
    FAIL

    Phony

    Why did it take them 6 days to release this information? Why have the hackers now had 6 days to make use of all the details they stole before Sony even admitted anything?

    The obvious answer is that Sony's reputation and need to play this down is more important to them than straight honesty or the personal identities of 77 million people.

    That makes Sony as bad as, if not worse than, the hackers themselves.

    And the way they have been storing the data unencrypted is plain stupid. They should be investigated and heavily fined.

    I hardly use my PS3 and I only bought it because I have a PSP and it was heavily advertised as being compatible and linkable with the PSP. I only bought a PSP because it was the only handheld at the time. I thought that linking them together 4 years after the PS3 was released would provide more functionality than it currently does.

    The way they treat their user base is disgusting, removing features and taking legal action against individuals to 'protect their profits and intellectual property' when they could instead try providing a better customer experience and delivering ALL the features that were initially advertised with a product. That would have more of a knock-on-effect on their profits than suing / bullying people into submission.

    Please Microsoft, can you make an Xbox handheld? Then I will buy an Xbox as well and get rid of my PS3. But I will never ever buy a Sony product again.

    1. Mike VandeVelde
      Gates Horns

      +1...

      ...right up until that last paragraph there ;-)

    2. Highlander

      Read their statement. It took them this long because....

      The third party security firm engaged to perform the forensic analysis only informed Sony on Monday afternoon of the extent of the hack and potential data compromise, so Sony informed all the appropriate people inside Sony, emailed PSN users and put out a public statement the very next day. It's not like they were sitting on this information.

      But, why do I even bother pointing this out, no one will listen, their minds are already made up.

  40. Matt Hawkins
    FAIL

    ICO Useless & Toothless

    "I'd like to see the ICO take action against them for this. Bastards."

    The ICO take action? Now that is funny ...

    Sony deserve all the bad press they get. They have continued to treat their real customers like dirt. Their understanding of the most basic security is so useless I am surprised they are still in business.

    Plain text passwords? You have got to be kidding me ...

    I stopped even considering Sony products once they started installing illegal trojans and rootkits on people's computers.

    1. MJI Silver badge

      ICO take action

      They still haven't released "The Last Guardian"

      1. Anomalous Cowturd
        FAIL

        ICO Commissioner on You and Yours just now

        Reckons 3 million UK customers affected.

        ICO is "investigating"...

        Likely outcome, IMHO... Fuck all, as usual.

  41. Mr D

    Selling...

    .. My PS3 on Ebay right now. No reserve. No takers yet.

    1. MJI Silver badge

      How much?

      Might be worth it for a spare

  42. Anonymous Coward
    Headmaster

    plundered other information

    > Sony is warning .. to watch out for identity-theft .. The stolen information may also include payment-card data ..

    Would that be the same as Credit Card data ?

    1. Aaron Em

      No, more general

      A credit card is a type of payment card; so's any other sort of card you can swipe at a checkout stand. It's one of those terms you'll have heard at some point if you have any clue at all about how the credit card industry actually works.

  43. Arse Face

    On the flip side

    If you think of all the compromised Windows machines out there due to security holes, worms trojans and what have you - I bet there are a lot more than 70 million Windows users alone that have had personal data compromised, so in the grand scheme of things - It's really not that bad. To be honest i'd be more concerned if someone had nuked my porn collection - they can have the credit cards - they're easily cancelled and replaced - but the porn, that's taken the best part of 10 years to amass. Just a little vigilance people - i'm pretty sure the perpetrators will, quite rightly, be shitting themselves anyway - they've probably left a trail leading right back to themselves.

    1. Anomalous Cowturd
      Joke

      In reply to Arse Face, because it's not obvious...

      Only one hard disk of pr0n?

      Amateur!

  44. Adam T

    Legislation

    Be nice if theis led to some new rules, such as only requiring your personal details when actually signing up to a service. There's no reason for keeping anyone's real name, address, date of birth, on file. Once a transaction has been processed, it's processed, move along.

    If details are needed to verify the transaction, then maybe it's time they were held by a higher authority. My bank hasn't told anyone my PIN code or address lately... I may not like them (hey they're a bank) but I sure as hell trust them more than joe public's poxy excuse for a secure web service.

  45. mraak
    Coat

    Non encrypted passwords?

    I wonder how many others do that. God help us all...

  46. Scott Broukell
    Stop

    wait for it ......

    "Your PSN login credentials have been corrupted. In order to re-establish your correct login details so you can continue with the PSN gaming experience you are required to re-enter your original details in the form below - including your card details and PIN. Failure to complete the information requested may result in complete loss of your PSN gaming account and all associated data sets."

    yours chincheerily

    The Boys from Lagos (hehe)

  47. Anonymous Coward
    Anonymous Coward

    Class Action Lawsuit started

    http://uk.ps3.ign.com/articles/116/1164392p1.html

  48. trafalgar
    Pirate

    Why it took 6 days...

    Day 1:

    PSN Admin: We've been hacked! And it's possible user data was copied! We're patching the servers now....

    Sony: Doh!

    PSN Admin: Should we inform our users? Get them to change their passwords...?

    Sony: Let me think....thinking....thinking....

    PSN Admin: <sigh>

    Sony: I got it - shut down PSN!

    Day 2 - 6, meetings:

    Sony: what to do... umm... aah.... er... thumb twiddling...finger in ar$e.......smells finger.

    Day 7:

    Sony: PRESS RELEASE - We've been hacked!

  49. AB

    @trafalgar

    We'll never know the truth, but I suspect you're not far off.

    I further suspect that anyone who thinks you are being overly cynical has never worked for a corporation.

  50. Phil Dawson

    Data centre security

    The news that in light of the hack, Sony plans to move its data centre to a location that it claims is more secure raises some interesting questions.

    It is worth highlighting that no matter how secure the location and the technology, people are still the key to real security. If employees do not see security as a top priority, then even the most secure system can easily break down - especially if basic access practices relating to hardware, databases, etc. are ignored by technical staff.

    Even with robust technology, there is always a need for high-quality ‘human management’. Corporate technologies like secure ID still require a strong bond of trust and a process of education in place between business and employee. After all, unprofessional or disaffected users all too often pass critical information on passwords, codes and ID numbers to others.

    A even more farsighted or revolutionary approach for Sony might be to encourage its customers to access their online and gaming services through more secure network access that could, in turn, help track and monitor network external hackers and restore consumer confidence in the Sony network.

    Secure services like tibboh, for example, can then become the basis for providing access to age appropriate games or the Internet and even for restricting the use of illegal download sites. They can also help provide a clearer audit trail back to the data thief, reducing the likelihood of a hack attack in the first place.

    Phil Dawson, managing director, MDS Technologies

This topic is closed for new posts.

Other stories you might like