Sony clarifies when it knew of data theft
Sony has issued a statement regarding the gap between when it pulled the plug on the PlayStation Network and when it alerted users of the data theft, claiming that experts didn't know the scope of the breach until Monday.
Sony has issued a statement regarding the gap between when it pulled the plug on the PlayStation Network and when it alerted users of the potential data theft. Corporate communications director Patrick Seybold clarifies what the company knew and when, claiming that the investigation didn't yield concrete results until Monday:
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday [Monday] to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon [Tuesday].
It does seem likely that Sony suspected user data theft was a possibility when it pulled the plug last Wednesday, and gamers can draw their own conclusions on whether knowledge of the possibility should have had Sony alerting users earlier. Even given the statement, the company apparently confirmed the data theft on Monday but announced it on Tuesday. Still, Seybold denies that the company sat on the knowledge for a full week.
In a rare spot of good news, Sony's MMO-centric division Sony Online Entertainment has confirmed that it was not a victim of the attack, as its systems and databases are separate.
"We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons," SOE director of global community relations Linda Carlson explained.
Sony has also set up a FAQ page regarding the incident. It declines to comment on the frequency of attacks on the PSN or its security measures, and reminds users to be vigilant with common sense identity theft prevention steps. Be wary of e-mails or telephone calls asking for personal information, and if you provided PSN with a credit card, watch your credit statements carefully for signs of fraud.
Sony is expected to resume some PlayStation Network services within a week, and will be promoting games that were meant to come out in the interim. Meanwhile analysts point out that while the financial impact is hard to predict, the company has been hit by a serious issue of consumer trust.
-
Steve Watts posted a new article, Sony clarifies when it knew of data theft.
Sony has issued a statement regarding the time disparity between shutting down the PlayStation Network and alerting users of the data theft, claiming that experts didn't know the scope of the breach until Monday.-
This is why its hard for me to understand why people are so mad about the info they got yesterday, yes it would have been nice to be able to get the info sooner, but SONY didn't know either.
Would we rather have them potentially of cried wolf?
If you hear of a information network getting hacked you should automatically think that its possible that your info was stolen, not wait for a company to confirm it, then get all up in arms when they finally do.
You people make it seem like Sony has been the first company to get hacked and had customers information stolen. -
-
-
-
-
I'm sure the engineers who built and maintain PSN were delighted that external 'forensics experts' had to be brought in to investigate their own system logs.
From an engineer's perspective, if a serious network intrusion has been detected (and you know the means by which it occurred) then you will immediately know if sensitive information could have been compromised through that means, encrypted or not. It isn't rocket science - it's knowing how your damn system works.
In my opinion, Sony crossed their fingers and sat on this information for a week. They hoped they could avoid the PR shit-storm by proving that customer information WAS NOT leaked instead of providing a early heads up on the possibility that it was. Given how credit card information was also at risk, this was an extraordinarily immoral thing to do.-
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised.
this is similar to saying there was a time lapse between noticing your door has been kicked down, versus when you realized if anything had been stolen. when the "goods" are virtual this can be complicated-
-
-
I don't think you are understanding what I'm getting at here. Sony knew about this possibility a week ago - it's why they've spent all this time 'rebuilding PSN', bringing in data forensics agencies, etc. Why do you think they were right to hold such information back from the people it could affect the most?
-
People are idiots. It wouldn't have made any difference if Sony had come out sooner with any more info than they did. These threads are proving how reactionary, paranoid and filled with indignant outrage the average user is. I'm not surprised they didn't come out with a thousand possibilities of what the breach could have meant, there's a shit storm either way and my only annoyance would be if they didn't immediately alert relevant authorities of the deeper potential implications.
-
-
-
-
-
Not sure if this has been mentioned in the other threads or not but surprise surprise, Sony has been dealt a class action lawsuit for their handling of this situation. http://uk.ps3.ign.com/articles/116/1164392p1.html
Talking of which, it's been over a day and I still don't have any email notification from Sony.-
unless the TOS agreements preclude class actions... http://www.nytimes.com/2011/04/28/business/28bizcourt.html?_r=1&ref=us
-
-
-
No matter how you look at this situation it's obvious that Sony screwed up. They should have notified us immediately that our information MAY have been compromised. Even if you don't believe that they should have, ask yourself why they didn't tell us Monday when they claim they found out? Why did they wait a day?
There was a great comment on a Kotaku yesterday about how Sony is bound by certain laws as a vendor who accepts credit cards. One of the requirements is that our information be encrypted. Sony did NOT encrypt our info.
If Anonymous really is behind this attack then they did an incredible job of screwing Sony over. Look at all the Sony rage going on right now. Whomever orchestrated this attack did more damage than I think they even realize.-
-
if these guys were good enough to hack network and cause Sony to shut it down its safe to assume that they are or could be smart enough to crack what ever encryption may have been used or all lets steal the encrypted data and crack it a later data.
What REALLY needs to be looked at is not this finger pointing and blame game(cause its all childish and well just plan pointless) in this crime cause will that's what it is. What we to look at is the fallout of what has been called and is the biggest breach of security in the history. This is going to have ripple effects across not just the game industry but others as well. I am welling to take a good guess that most large companies go to the same firms for security.
So don't companies like Apple with Itunes, Amazon, Blizzard potentially have this information stored
? I can sign into both and one of my old numbers for an inactive card is still sitting there when i go through the payment process.-
Well yes, there's always the possibility that whoever accessed the data was also able to grab the algorithm & key(s) used to encrypt it.
My understanding is that Amazon and other companies only store several digits of your card number (typically the last four) along with the card name, expiration date, etc. Presumably when a user first enters their card details into the site, all of those details are sent to the payment processor company for storage at their end. When a user then makes a purchase on Amazon, the card details that Amazon actually have (name, last four digits, etc) are hashed together and sent on to the payment processor to verify and create the transaction.
I could be wrong on this. Personally I've only dealt with single-blast payment processors where the details aren't stored at all. Nevertheless, if I'm right then this is the approach Sony should have been taking also, i.e. they shouldn't have the facility to leak important credit card information.-
Okay well I have use a CC before on PSN and they do it same way as Amazon with last 4 digits stored the rest X'd out. Right know we don't know if CC information has been taken, from the way you explained the process that is the same PSN stored my number when I add funds to my wallet. Last 4 Digits the rest X'd(Don't worry I have taken the steps needed to CYOA on Sat) . So i would a be good educated guess that Sony used the same process as Amazon.
Now once in the systems could they have traced this back to the Payment processor(which is guess is used by multiple companies). So right now the reason that information is slow fourth coming is that this is a crime scene. So every and anything is evidence. Having a friend that was victim of a crime recently when it comes the law enforcement there is very little that can to talked about once the investigation has started.
-
http://online.wsj.com/article/SB10001424052748703778104576287362503776534.html?mod=WSJ_Tech_LEFTTopNews
So JP Morgan and Chase go hit too....but both FBI and Sony are "declining" to say if they working to together. Which of another way of say " I can neither Confirm nor Deny this"
I do reckon there is a an investigation going on here good sirs..
-
-
-
-
-
Wtf is wrong with everyone and this hate toward Sony.. I guess Anon was in the right telling the WORLD of hackers to attack them right? And for what? the punk Geo and OS on the ps3 to allow pirated games... What does Sony have to gain by lying to everyone? They have the FBI there with them now supporting them, I highly doubt they would want to get caught doing that... If the punks who started this mess isn't caught then shit has to change on the web. It's one thing to be free and Anonymous and it's another to use that to cause damage and harm to others....
-
-
-
-
trust me on this and its not that I don't agree with but no security, no matter how strong is break in proof. From Reading that Article on the WSJ there have been other High profile Companies like JP Morgan and Chase. Now reason why that's not all over news is because JP Morgan and Chase does not have a online service that affects 70 million users. Whats scary is the JP Morgan and Chase has a lot more and far more sensitive material then Sony being that it is a bank.
This incident and others in resent months has put Hacking, cyber theft and information theft in the lime light. Its safe say neither Law Enforcement or these large companies are really prepared... nor are we the consumer. -
-
-
-
-
-
-
-
-
-
http://food.change.org/blog/view/hold_the_fish_please
Scroll down to W L's comment
-
I received an email, confirming that my data was in fact stolen but it was not known whether or not my credit card info was stolen as well... in the email it doesn't say anything about any of the information being encrypted and encourages me to contact the credit reporting bureaus and monitor my bank account. Dunno if anyone else got this email as well
-