Develop looks at the two turbulent weeks when Sony’s online business fell into disarray
[All dates in GMT]
* Two months before the PSN breach, an unattributed chat-log between a group of hackers is published on the net. In the message exchange, some users repeatedly claim the PlayStation Network is vulnerable to outside hacks.
* “Sony should know that running an older version of Apache [a web server] on a RedHat server [an open-source Linux server] with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server,” writes one anonymous hacker.
* “You know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from PSN using a Visa card,” writes another.
* Sony Online Entertainment servers are illegally accessed, exposing the details of an estimated 25 million customers.
* An old database of credit card data is accessed, as well as a current database of personal user information.
* Unknown to Sony, an individual breaches the PlayStation Network within this three-day time-frame.
* The login data and passwords of some 77 million PSN users is accessed, and possibly retrieved by the individual.
* Email data, home addresses and security answers (mother’s maiden name etc) are also exposed to the individual.
* The individual discovers that none of the data is encrypted, aside from users’ credit card data.
* It is not known if the credit card data is taken.
* Sony discovers there has been “an intrusion” into the PlayStation Network.
* “We learned there was an intrusion April 19th and subsequently shut the services down,” says Patrick Seybold, PlayStation Senior Director of Corporate Communications, [this claim was made seven days later, April 26th]
* Sony internally shuts the PlayStation Network down.
* A message to developers with privileged PSN access warns that the system is down due to “emergency maintenance”
* PlayStation Network users begin to report that the PSN service is not operating.
* Sony publicly acknowledges the downtime.
* “We’re aware that certain functions of the PlayStation Network are down,” Seybold says, adding that Sony will “report back as soon as we can with more information”.
* Sony is “investigating the cause of the Network outage” Seybold says in an updated message.
* He adds: “We wanted to alert you that it may be a full day or two before we can get the full service back up and running”.
* Sony Online Entertainment “interrupts its services” for online games such as Vanguard, EverQuest II and Free Realms.
* Seybold warns: “An external intrusion on our system has affected our PlayStation Network.”
* Sony adds that it shut down the Network itself, and for two reasons. The first is for the security of its customers, the second reason is to conduct “a thorough investigation”.
* Seybold says efforts to bring the PlayStation Network back online involves “rebuilding the network to further strengthen our network infrastructure”.
* He adds: “Though the task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.”
* The network is down for the fifth consecutive day. Sony issues no statement.
* Sony hires a security expert to investigate the breach [according to statements made May 1st]
* Sony apologises that it does not have new information on the downtime.
* Seybold says: “Unfortunately I don’t have an update or timeline to share at this point.”
* Security experts now aware of “the scope of the breach”, according to a statement made the next day.
* Sony announces that sensitive data, tied to some 77 million PlayStation Network accounts, may have been compromised.
* Sony begins a mass-email alert of the massive data breach.
* Users are warned of identity fraud. Sony asks customers to check bills and “remain vigilant”.
* US Senator Richard Blumenthal publicly criticises Sony for waiting seven days to notify PSN customers of the security breach.
* A punishing and intense 24-hour period of media backlash ensues, along with filed lawsuits and threats from numerous watchdog groups. National media from around the world cover the story on front pages and top-of-the-hours.
* Sony says this is now a criminal matter.
* “We have no evidence that credit card data was taken,” the company adds.
* A statement from Sony Online Entertainment explains that, in regards to the developer’s MMO games, no data was compromised.
* SOE says it has “been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorised person or persons.”
* SOE adds: “We are continuing that investigation and monitoring the situation carefully.”
* Sony shares close down 4.5 per cent in Tokyo, while the broad market rose 1.6 per cent. The stock has by this point fallen over 8 per cent in a week.
* The US Department of Homeland Security announces it is assisting the investigation into the PSN hack.
* Sony announces it will soon begin a regional phased restoration of the PlayStation Network.
* Most services, excluding digital downloads, were said to be the first to return.
* Sony announces a series of immediate steps to enhance security across the Network.
* A new “customer appreciation” program is mentioned.
* Sony Computer Entertainment boss Kaz Hirai chairs a press conference in which he apologises for the inconvenience associated with the data breach.
* Hirai adds: “This was a highly sophisticated attack by a highly skilled intruder who invaded the [PlayStation Network] system and took steps to cover his tracks.”
* Around ten million PSN users stored info on the PlayStation Network, Hirai adds.
* Sony Online Entertainment temporarily shuts down its servers for the second time.
* “In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately,” the company says.
* Late in the day, the company reveals that Sony Online Entertainment's network hads been hacked over two weks ago.
* Sony apologises for previous assurances that Sony Online Entertainment servers were safe.
* Sony begins mass-email alert. It tells 24.6 million Sony Online Entertainment users that their data was compromised on April 16th.