Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE)

Name of Entity
Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE)
Organization Type
Businesses-Retail/Merchant - Including Online Retail

New York, NY
United States

Sony discovered an external intrusion on PSN and its Qriocity music service around April 19. Sony placed an outage to block users from playing online games or accessing services like Netflix and Hulu Plus on Friday April 22. Sony says the outage will continue until the situation is addressed, which will likely be within the next week. Sony believes an unauthorized person has obtained names, addresses, email addresses, dates of birth, PlayStation Network/Qriocity password and login, and handle/PSN online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. User credit card numbers may have also been obtained. Sony has hired a security firm to investigate the incident and strengthen the network infrastructure by re-building their system to provide greater protection of personal information.An individual filed a class action lawsuit on behalf of all PSN users following seven days of a Sony PlayStation Network outage. The lawsuit alleges that Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line." It also accused Sony of violating the Payment Card Industry (PCI) security standard, which prohibits companies from storing cardholder data.UPDATE (5/3/2011): A review of Sony's network breach revealed that it was larger than first thought. Sony turned the SOE system off.  Hackers may have taken personal information from an additional 24,600,000 user accounts in Austria, Germany, the Netherlands and Spain. Names, addresses, genders, email addresses, login name and associated password, phone numbers and birth dates of SOE gaming customers, as well as data from about 12,700 credit card accounts and 10,700 bank accounts from an outdated 2007 database could have been accessed.  The outdated account information that may have been obtained by hackers includes credit card numbers, debit card numbers, expiration dates, bank account numbers, customer names, account names and customer addresses. The SOE network hosts games that are played over the Internet on personal computers and is separate from the PlayStation network.  Sony has not clearly indicated if credit card numbers were compromised.  At least one report indicates that the numbers were encrypted.  These breached records will not be added to the total until more is known.UPDATE (5/6/2011): Sony now indicates that some credit card numbers were compromised.  Twelve million credit card numbers were unencrypted and could easily be read.UPDATE (5/7/2011): Sony discovered that hackers had placed customer information online. Sony removed the information.  It included customer names and addresses from a 2001 Sony database.Service restoration for the PlayStation network was indefinitely delayed. Additionally, the CEO issued an apology letter.UPDATE (5/17/2011): Hackers began changing user passwords by using PSN account emails and dates of birth within two days of the partial restoration of the PlayStation Network.  Sony failed to alter the password reset system to account for hackers having obtained user email addresses and dates of birth.  Users who changed their passwords, but not the email associated with their PlayStation Network accounts, were vulnerable to the hacker exploit. Sony shut down the PlayStation Network again and released a short statement about the incident.UPDATE (5/23/2011): Sony headquarters expects to spend about $171 million on its personal information theft protection program, welcome back programs, customer support, network security enhancements and legal costs associated with the breach.UPDATE (6/2/2011): Sony fully restored all Playstation Network services in all areas except Japan.  The Playstation Store and Qriocity divisions are now functioning properly.  UPDATE (6/4/2011): A concise history of the Sony hacks can be found here.UPDATE (7/21/2011): Zurich American, one of Sony's insurers, is suing to deny releasing data breach coverage funds to Sony.  Sony expects the breach to lower operating profit by $178 million in the current financial year.  A total of 55 class action complaints have been filed.UPDATE (10/11/2011): Sony Online Entertainment became aware of a large number of unauthorized sign-in attempts.  The attempts took place between October 7 and 10.  About 93,000 PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment services accounts may have been compromised.  The unauthorized parties appear to have verified valid sign-in IDs and passwords after a number of failed attempts.  Sony temporarily locked those accounts. It is unclear if the email addresses were obtained from a previous breach.UPDATE (10/19/2012): A federal judge found that Sony users signed a privacy policy informing them that Sony's security was not perfect.  Sony was cleared of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes. The judge ruled that plaintiffs could not claim that Sony violated consumer-protection laws because PSN services were free of cost.  This dismissed much of the lawsuit.UPDATE (12/16/2013): Sony agreed to drop an insurance claim over litigation related to the 2011 breach.UPDATE (7/30/2014): "Sony recently offered to settle a class action lawsuit over the 2011 breach of its PlayStation Network. According to the terms of the proposed $15 million settlement, the money will be paid out in the form of games. Class members who didn't take advantage of initial "Welcome Back" package of games and memberships offered in 2011 will receive on of the 14 PlayStation 3 or PlayStation Portable games, as well as three of six PS3 themes or a three-month PlayStation Plus subscription. Qriocity users will get one month of free access."
Date of Breach