Between the 17th and 19th of this month, Sony’s PlayStation Network and streaming service Qriocity were compromised through an intrusion into the network. Sony was aware of the intrusion on April 19th and shut the service down as a result, first posting of the outage on April 20th. Since then, the PSN has been unavailable for those wanting to use it for online gaming, playing some games purchased from the PSN Store, or accessing online music and videos.
Today, Sony detailed that the intruders may have had unauthorized access to personal information of Sony PSN and Qriocity customers. From today’s blog post and a PlayStation Support page:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
There are two risks to be considered with the wrong people having this information. First and foremost is the direct threat. Sony recommends keeping track of your credit and watching your credit card accounts. It would also be wise to change your password for any other accounts you have that might share the password with your PSN account. The second concern is the indirect route that somebody might use the information obtained to try to spear phish you. If somebody were to call you on the phone and know all this information about you, then they might be able to get you to do what they want – like “confirming” an account number or something similar that would result in scamming you out of much more.
Right now, the PSN system is being rebuilt to be more secure and a third party security firm is assisting with the forensic details. The PlayStation Network is supposed to be operational again within a week. It is unknown if or when the security firm might confirm what the data breach included.
Theories abound for who hacked the PSN and what their motivation was. Some theories include revenge for the recently settled Sony v GeoHot lawsuit that followed the jailbreaking of the PS3. Another theory comes via a post on Reddit that says a dev firmware clone allowed 3rd parties to access the PSN Dev Networks and Sony is rebuilding them to prevent this access.
For whatever reason the breach happened, Sony has some technical rebuilding and trust rebuilding to do immediately after the PSN is back up. Until today’s blog post by Sony, the details have been minimal and individuals have just been waiting around to be able to play games and stream content. Now, they might have a little more to worry about. I’m guessing we’ll find out more details as time goes on, the PlayStation Network gets up and running again, and any consequences are discovered. For now, you might comfort yourself with the cold, heartless FAQ page that Sony has provided regarding the outage and breach.