UPDATED: Sony is to offer a free 30 day subscription to their PlayStation Network plus a free software download as compensation to the millions of PSN users who have been unable to access the network for over a week. They have also offered to pay for new credit cards if charges apply.
Sony VP Kaz Hirai (formerly of the PlayStation division) is currently addressing a press conference in Japan to explain several issues after an external intrusion of the PSN network by unknown hackers compromised the personal information of up to 77 million users including up to 1,250.000 in Australia.
SonyJapan revealed over 1.5 million Australian user accounts including potentially 280,000 credit card numbers are in the hands of hackers. In the past Sony has said that they only had 750,000 accounts affected.
Sony in Japan revealed over 1.5 million Australian user accounts including potentially 280,000 credit card numbers are in the hands of hackers. In the past Sony has said that they only had 750,000 accounts affected.
He said that PSN passwords were not encrypted but hashed. Sony said that they are now putting into place new security measures in local regions like Australia.
Kazuo said the company still isn’t sure about the possible earnings impact from the security breach. Sony faces additional costs related to implementing additional security measures and offering users complimentary access to premium services in the wake of the breach.
The company said it isn’t sure if the hacker obtained the users’ credit card numbers and expiration dates, purchase history and password security answers.
Japan: Sony Press Conference Sunday. |
Engadget reported:
Hirai said that as many as 10 million credit card numbers may have been exposed, though Sony says it has no proof that any have actually been compromised, and claims that it has received no reports of credit card fraud thus far.
Sony said they were first alerted to unauthorised access when first experts brought in determined it was a highly skilled intruder, so Sony brought in a second security firm to determine what had happened.
Then, they emailed customers and published warning information. So far, so good.
Yeah, lots of information was potentially stolen. “No evidence that credit card numbers, expiration dates or billing addresses” were stolen, though, according to the livestream translation.
They haven’t confirmed any cases of credit card fraud so far, and will let us know when they have more information. Sounds like they just don’t know yet.
There’s a diagram up — attackers accessed a database using a tool of some sort. The Japanese translation here isn’t technical enough to tell us what.
Kaz says there will be new security measures to prevent this sort of hack in future. New data center, moved from San Diego to a new location with “more advanced security.” Enhanced detection capabilities, automated software monitoring, enhanced levels of data encryption, enhanced everything. Additional firewalls. Sony’s creating an Chief Information Security Officer to handle these preparations in future. Good to know.
There will be an additional sign-on security measure of some sort, but Sony’s also asking customers to be vigilant and check their credit card statements. Sounds like they’re worried about fraud after all. They’re asking customers to change all their passwords too, and change all passwords used on other websites that happen to be the same as the PSN ones.
Sony says it will “consider” paying for new credit cards if they have to be re-issued to affected customers.
Q&A time.
There have been as many as 10 million credit cards registered, but Sony’s not sure how many if any have been compromised.
“By the end of a week’s time, we’d like to restart our services in order,” says the translator. Sony expects there may financial impact of re-issuing credit cards, lost sales on PSN and Qriocity items, etc, but don’t have concrete information on the impact yet.
Again, they say they haven’t received any reports of actual damages from credit card fraud as of yet.
Q: How many people have been affected? What kinds of legal action can Sony take? A: We’re still investigating the leak, so it’s not possible to say with any certainty the extent of the hack, but there are 78 million accounts. Some users register more than one account, but the volume of data is potentially for 78 million accounts.
Since SNEI (Sony Network Entertainment Inc.) is based in the United States, they’re working with the FBI… doesn’t sound like they’re pursuing any other particular legal action yet, but the translation’s a bit spotty.
Sony’s discussing the fine points of data leakage and probabilities. Nothing is for certain, it seems, but they have “no trace” that the intruders went into certain parts of the database.
Q: Was this hack exploiting a known vulnerability, or a new one? A: The one at this time was a known vulnerability, but SNEI management was not aware of it. We’re creating an information security officer to improve that. (Sony declined to discuss details of the exploit… it sounds like protections against it aren’t in place yet.)
Sony plans to deploy credit card monitoring measures region by region.
Q: Why did it take so long to disclose this in a conference like this? A: We shut down the PSN quickly, and it took time to analyze all the data, so we had to take these actions gradually. Once we became aware of the situation, we moved promptly to warn customers.
It also took more time than Sony hoped to shut down parts of the PSN and to analyze the data, Kaz says.
Sony says that there’s some speculation, but that it doesn’t have any proof that Anonymous is behind the attacks. “It’s not that we don’t have any infomation at all, but it’s still within the realm of speculation,” says Sony’s translator.
The company says that some security measures were in place, and that the credit card database was definitely encrypted, but… and something was lost in translation here… it sounds like the other user information may not have been.
Kaz is talking about how future devices, including the NGP, will rely on PSN in future. “We have to regain the trust and confidence of our users.” Sony will try to achieve that by strengthening network services and communicating with users better from now on, he says.
Kaz suggests that users may be prompted to change PSN passwords more frequently in future.
Q: What message will you deliver to the hackers and pirates? (The speaker seemingly phrased this in the context that such hacks regularly occur and hardware companies have to coexist with such parties) A: We have to be able to protect the intellectual properties and copyrights, and by providing protection systems, we can provide software for users to enjoy… can maintain the ecosystem. We don’t want our platform to be undermined.
Kaz is stumbling around a bit (or Sony’s translator is) but it sounds like he’s emphasizing proactive data protection over ongoing legal action. Forgive us if that’s not the case.
Sony decided to correct an earlier statement, saying that PSN passwords were not encrypted but rather hashed.
Both Kaz and the Japanese reporters are repeating themselves a bit now. Here’s hoping there’s something concrete left to talk about.
One reporter asked about compensation for the personal data leakage, in terms of credit card charge refunds, free software and the like, and Kaz insisted that the gifts are not compensation for the leak — Sony is not presently compensating customers for the data leak because it doesn’t have any evidence of credit card fraud, and Kaz says if Sony gets such reports it will deal with them on a case-by-case basis.
Another reporter asked how many customers have already canceled their PSN accounts, and how Sony will deal with these customers’ accumulated funds in their online wallet. It sounds like Kaz dodged the first half of the question — saying something about how PSN doesn’t rely on membership — but we can’t be sure from the translation. He does say, however, that Sony will deal with PlayStation Plus members and the contents of online wallets on a case-by-case basis. Sounds like a hassle.