[Article first published as First PSN, now SOE: Sony's Wounds Deepen on Blogcritics.]
I spent more time this morning checking the posting dates of the articles I was reading online than I did on taking in their contents. It seemed to me like I had read these stories before. I checked my network connection and made sure that I wasn’t getting cached copies of the sites I was reading, and then went back to searching for posting dates again. Why? Because what I was reading about was a security breach and attacks on Sony servers that could have caused user information to be compromised. Now it was fairly early for me, so I didn’t put the pieces together right away and convince myself it wasn’t just déjà vu. I mean I remember writing about Sony’s PSN press conference. Or do I? Finally reality dawned on me as the coffee kicked in and I realized that this wasn’t about the PSN. It was SOE.
The story today is actually about Sony Online Entertainment (SOE), Sony’s online gaming arm. Separate from the PlayStation Network, this is the part of Sony that offers MMO games like EverQuest and DC Universe Online. As it turns out, as I was writing about Sony’s “Welcome Back” package for PSN customers, it was reported by Nikkei that about 12,700 credit card numbers were stolen in more of the digital salvo against Sony, which caused Sony to take their SOE sites offline. Sony spokeswoman Michele Sturdivant told the Wall Street Journal that “this was not a second attack,” citing that the SOE sites were taken down as part of their ongoing investigation regarding the PSN intrusion. It still seems to be a second attack to me regardless of that statement. Even though the systems are similar, PSN and SOE are operated separately as distinct systems, even though they share some tech under the Sony banner. Maybe instead we can call it a second battle in the same war.
Well my friends, that wasn’t nearly the end of it. A press release put out there today by SOE states that personal information could have been stolen from 24.6 million accounts in addition to those taken from the PSN. 24.6 million. To put that into perspective, that number is larger than the entire population of Australia, or about 8% of the number of people in the United States. The account information includes general user information like names and addresses (…and hashed passwords). In the same press release they fess up to those 12,700 stolen credit card numbers, but state that they are non-U.S. numbers from an outdated 2007 database. Also stolen were 10,700 debit cards from Austria, Germany, the Netherlands, and Spain which included bank account numbers in addition to general user information.
Sony’s already fighting to keep their PSN customer base, and is currently working on a “make good” plan for their MMOs. Right now that means 30 days of additional time on their SOE subscriptions, with an additional day for each day the system is down and again, the promise to do better. Their security update and customer service notification outlines similar things as the earlier PSN press release, including offering help with enrolling in identity theft protection programs, putting fraud alerts on your credit with reporting agencies, and links to the FTC’s ID theft page.
So what’s next? Sony has found itself in all-out war after the intrusions into their gaming services. What can they say that’s positive? If it is any saving grace, Sony did state that the credit card numbers were transformed with a cryptographic hash, but experts at Sophos Labs point out that hashing a file doesn’t make it unbreakable. In my role in IT, it’s amazing how many people outright tell me that they use the same password for absolutely every aspect of their online identity. This is a fairly common practice, so getting one user’s password may in fact mean getting all of that user’s passwords.
To play devil’s advocate here for a second, Sony was also a victim in this ordeal, and was at the receiving end of intrusions that are clearly criminally malicious in their design. It’s very easy for a lot of companies to say they’ve never been hacked because, let’s face it, they’ve never been anyone’s targets, as Sony clearly is right now. Sony has been embroiled in some pretty public battles of late, starting with legal action with George “Geohot” Hotz and a subsequent issue with Anonymous, that have squarely thrown them into the public eye. Combining that with some people’s scrutiny of their practices (while Microsoft is openly offering an SDK for Kinect), as well as a series of SOE layoffs in late March, there are a lot of potential culprits out there.
I never really used my PS3 much because it was just something that came as a bonus with the TV I bought, and ended up solely being my Blu-ray player for a while until I finally bought some games for it. I don’t play online through PSN, and I don’t play anything through SOE, but those things aside, the PS3 is a good console with decent games that’s capable of doing a lot of things. It’s sad really. All of that was wrecked for a lot of people by what I can only call a lack of preventative security measures. When dealing with user accounts and financial transactions, user security must be paramount. It was possible for Sony to climb out of the PSN mess, but with the SOE problem it could be the equivalent of clawing their way back from the brink of death. Combined with the PSN issue, the number of affected users has topped 100 million, and every single one of them are probably thinking twice about doing business with Sony again.