This morning, a press conference took place in Tokyo, Japan and the following press release is now being distributed worldwide. We would also like to once again thank you for your patience.

On 1 May 2011, Sony Computer Entertainment (SCE) and Sony Network Entertainment International (SNEI, the company) announced they will shortly begin a phased restoration by region of PlayStation Network and Qriocity services, beginning with gaming, music and video services to be turned on.

The company also announced both a series of immediate steps to enhance security across the network and a new customer appreciation programme to thank its customers for their patience and loyalty.

Following a criminal cyber attack on the company's data centre located in San Diego, California, USA, SNEI quickly turned off PlayStation Network and Qriocity services, engaged multiple expert information security firms over the course of several days, and conducted an extensive audit of the system.

Since then, the company has implemented a variety of new security measures to provide greater protection of personal information. SNEI and its third party experts have conducted extensive tests to verify the security strength of PlayStation Network and Qriocity services.

With these measures in place, SCE and SNEI plan to start a phased roll-out by region of the services shortly. The initial phase of the roll-out will include, but is not limited to, the following:


  • Restoration of online gameplay across PlayStation 3 and PSP systems, including titles requiring online verification and downloaded games.
  • Access to Q Music Unlimited for PS3/PSP for existing subscribers.
  • Access to account management and password reset.
  • Access to download unexpired movie rentals on PS3, PSP and Media Go.
  • PlayStation Home.
  • Friends List.
  • Chat functionality.



Working closely with several outside security firms, the company has implemented significant security measures to further detect unauthorized activity and provide consumers with greater protection of their personal information.

The company is also creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of Sony Corporation, to add a new position of expertise in and accountability for customer data protection, and to supplement existing information security personnel.

The new security measures implemented include, but are not limited to, the following:


  • Added automated software monitoring and configuration management to help defend against new attacks.
  • Enhanced levels of data protection and encryption.
  • Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
  • Implementation of additional firewalls.



The company also expedited an already planned move of the system to a new data centre in a different location that has been under construction and development for several months.

In addition, PS3 will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data.

The company is conducting a thorough and ongoing investigation and working with law enforcement to track down and prosecute those responsible for the illegal intrusion.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry," said Kazuo Hirai, Executive Deputy President, Sony Corporation. "These illegal attacks obviously highlight the widespread problem with cyber security. We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data. In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks. Our global audience of PlayStation Network and Qriocity consumers was disrupted. We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation programme for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services."

Complimentary Offering and "Welcome Back" Appreciation Programme

While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programmes. The implementation will be at a local level and further details will be made available shortly in each region.

The company will also roll out the PlayStation Network and Qriocity "Welcome Back" programme, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company's appreciation for their patience, support and continued loyalty.

Central components of the "Welcome Back" programme will include:


  • Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
  • All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
  • Q Music Unlimited subscribers (in countries where the service is available) will receive 30 days free service.



Additional "Welcome Back" entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.

SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation Store and other Qriocity operations, scheduled for this month.

About the attack

  • Not related to Anonymous, although they did bring up that they were being attacked by them for the past few months (repeatedly stated it was limited to DDoS).
  • This intrusion was very skillful and passed their firewall and other security measures because it looked like a normal transaction. It then made a tunnel and had a command attached as a trigger, at which point it was able to be manipulated remotely.
  • The attack used a known vulnerability. However, this vulnerability was not known to the management (really hope I understood that part correctly since it's a biggie). Since then, security measures have been improved against that mechanism of attack.
  • Because it was an advanced attack and left "no traces", they didn't learn of it until the 19th/20th of April. They still aren't aware of the scope of the data compromised, but say that CC info was a low possibility, since it was stored in a different part of the database and not likely read.
  • It took them until the 27th of April to confirm that data was compromised. They had been working with 3 different analysis entities starting from the 20th.
  • Information of up to 78 million accounts were taken, but some were likely duplicate/backup accounts. They later were asked about sales data, said that 37 million PS3s and 16 million PSPs had connected to PSN (install base of 50/69mil). There were 10 million Credit Cards connected to PSN at some point.
  • From what I understood, it seems that Sony will be doing more testing/inspection of its security measures to prevent future incidents like this. At the time though, SNEI believed their security to be good enough.

Compromised Information

  • Hirai said that no improper CC usage has been reported and they have no evidence of CC info being compromised. They said that Sony will pay for CC reissuing and assist with monitoring/insurance programs for customers. If there are any improper charges, they will be handled on a case-by-case basis.
  • CC info was encrypted and stored in a different part of the database from user personal information. Because of this, user information and CC information are being categorized separately.
  • User passwords were not encrypted, but were hashed.
  • Is still analyzing data of the attack, so they weren't saying a whole lot about what had been taken.

Investigation

  • Entities from outside of Japan have contacted Sony and requested that they cooperate with their investigation process. FBI HQ seems to be the most involved currently. List of questions from USA House of Representatives has been received.
  • Didn't give any more information, just said that investigations had been started globally.
  • They weren't aware of the extent of the attack until the 27th of April, the conference was delayed because there was much more that they wanted to work out (in terms of compensation and other considerations).


Resumption of Services and Compensation
  • PSN compensation and CC-type compensation are being considered separately. Sony says they will cover credit card reissuing fees and will assist with credit monitoring/insurance programs.
  • Again saying that PSN will be online "within a week." Going to be incrementally bringing services back online. Different regions may see services at different times.
  • All PSN users will get one free month of PSN+ (current PSN+ subscribers will also get 30 free days), Qrocity subscribers will get a free month, and there will be some titles available for free download. Will differ based on region and their plans are not finalized as of yet.
  • All services to be back online within a month.
  • As far as cost to Sony, they weren't sure and it'd vary by region, but $15-$20 for PSN+ and a few thousand yen for the titles.

Immediate Actions Being Taken

  • Moving the data center from San Diego to a more secure location and adding new detection measures, firewalls, and encryption to make data more secure. Creating a new job position to monitor security. These things have already been done to an extent, but they wouldn't comment specifically out of security considerations.
  • Sony is going to have a way for users to look at purchase history online (I think before PSN is actually up) to check for any abnormalities.
  • Sony will allow users to leave PSN. They are looking into ways to refund any balances on PSN or PSN+ fees if those exist for the user. There was one conflicting answer about this, but I'm pretty sure they're working on a system to allow users to leave and erase their info if they desire.
  • Firmware will need to be updated as soon as PSN is back up and users will need to change their password. Passwords can only be changed on the PS3 system the account was created or via a verified email address. That seemed like a super important point, but it was only mentioned once. However, that means people don't have to worry about a mad dash to change their password before a hacker does. As far as users changing a password from "A" to "B" and then back to "A," they'll alert users if they're doing something like that, or if it's close to their username or something.
  • Apparently the updates in Japan were even slower than the ones in the US/EU, so in Japan they're probably going to set up a blog similar to the NA/EU.
  • Tablet/NGP launch dates will not be affected.
  • They'll possibly be taking measures against the root key thing, although this part wasn't clear and was there was a lot of rambling.
  • Want to re-earn user trust as well as developer trust on the PSN ecosystem.
  • They actually apologized for the incident!!


Concerning the datacenter being moved, "[Sony] also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months." (from the us playstation blog post)

For more information about the PlayStation Network and Qriocity services intrusion and restoration, keep an eye on PlayStation.Blog at blog.eu.playstation.com, twitter.com/PlayStationEU and eu.playstation.com for the latest updates

Source: Link
CyberAff Reviewed by CyberAff on . Some PlayStation Network And Qriocity Services To Be Available This Week http://uk.playstation.com/media/123772/342/playstationnetwork_fe001.png This morning, a press conference took place in Tokyo, Japan and the following press release is now being distributed worldwide. We would also like to once again thank you for your patience. On 1 May 2011, Sony Computer Entertainment (SCE) and Sony Network Entertainment International (SNEI, the company) announced they will shortly begin a phased restoration by region of PlayStation Network and Qriocity services, Rating: 5