Skip to main content

Sony's letter to Congress provides timeline for PlayStation Network breach, accuses Anonymous of incidental involvement

Sony's letter to Congress provides timeline for PlayStation Network breach, accuses Anonymous of incidental involvement

Share this story

Late last week, a Congressional subcommittee sent a letter to Sony's second-in-command Kaz Hirai pressing him for more answers to the massive PlayStation Network security breach. Today, Hirai has responded with an eight-page letter that not only addresses each of the subcommittee's questions one-by-one but also provides some more details into the Sony Online Entertainment breach and volleys a not-so-subtle jab at Anonymous, a hacking group he calls "conspirators or... simply duped into providing cover for a very clever thief." Yeah, it's a great read. The biggest takeaways and a full timeline of events after the break.

A Timeline of Events

Tuesday, April 19 at 4:15PM PDT: Sony Network Entertainment America network team noticed several PSN servers in the San Diego, California data center re-booting when they weren't scheduled to do so, and that "unplanned and unusual activity was taking place on the network." Four servers were taken offline and an internal assessment began on the quartet. This continued through the evening.

Wednesday, April 20th: SNEA expanded the internal team to continue assessment of these four servers. By early afternoon, it discovered "the first credible indications that an intruder had been in the PlayStation network systems" and identified six more servers that might've been compromised. Additionally, there was "evidence that indicated an unauthorized intrusion had occurred and that data of some kind had been transferred off the PlayStation Network servers without authorization," but it was unable to determine exactly what type of data has been transferred.

Later that afternoon, SNEA retains a "recognized security firm and forensic consulting firm to mirror the servers to enable forensic analysis to begin." The letter here notes that many hours were needed to simply mirror the servers — by the afternoon of Friday, April 22nd, nine of the 10 servers were completely mirrored.

Thursday, April 21st: A second "recognized computer security and forensic consulting firm" was brought in to assist.

Friday, April 22nd: SCEA's general counsel provided the FBI with information about the intrusion. "The forensic experts that Sony Network Entertainment America had retained had not determined the scope or effect of the intrusion at the time the FBI was contacted. A meeting was set up to provide details to law enforcement" for Wednesday, April 27 — five days later.

Saturday, April 23rd: Forensic teams confirm that intruders had managed to "obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers." deleted log files to hide the extent of their work. The PlayStation Blog blames the downtime on an "external intrusion."

Sunday, April 24th (Easter): Now that Sony "knew it was dealing with a sophisticated hacker," it retains yet another firm. "Specifically, this firm was retained provide even more manpower for forensic analysis... and, in particular, to use their special skills to determine scope of the data theft."

Monday, April 25th: Sony is able to confirm "the scope of the personal data that they believed had been taken but could not rule out whether credit card information had been accessed." Sony still could not determine if credit card information had been accessed — "while no evidence existed... we ultimately could not rule out that possibility entirely based on the reports of the forensics team."

Tuesday, April 26th: Sony makes its first public announcement, outlining what was taken and warning that credit card information might have been compromised. Seeing million or so fingers pointed in its direction, hacker collective Anonymous denies responsibility ("For Once We Didn't Do It"). SNEA notifies "applicable regulatory authorities" in New Jersey, Maryland, and New Hampshire of the criminal intrusion. Sony says some services are expected to be restored "within a week," which would've been May 3rd.

Wednesday, April 27th: SNEA notifies the regulatory authorities in Hawaii, Louisiana, Maine, Massachusetts, Missouri, New York, North Carolina, South Carolina, Virginia, and Puerto Rico. The PlayStation Blog publishes its first Q&A followup.

Thursday, April 28th: Q&A number two for the PlayStation Blog. It's revealed both the Department of Homeland Security and FBI are investigating.

Friday, April 29th: The US House of Representatives' Subcommittee on Commerce, Manufacturing, and Trade — send a letter to Hirai along with a list of questions and concerns.

Saturday, April 30th: Sony announces a press conference for the following day.

Sunday, May 1st: Kaz Hirai holds an afternoon press conference in Tokyo to outline what portions of the PlayStation Network will be restored this week and do introduce the forthcoming "Welcome Back" program. The investigation brings light that Sony Online Entertainment was also breached.

Monday, May 2nd: SOE servers are shut down. Later that afternoon, the company issues a press release announcing the extent of the breach.

Tuesday, May 3rd: Blueberry pie! No, not really.

Wednesday, May 4th: Hirai sends an eight-page response to Congress.

According to Reuters, Sony's aforementioned retained firms include teams from Data Forte, Guidance Software, and Robert Half International subsidiary Protiviti. It's also hired the law firm Baker & McKenzie to help with the investigation.

Sony Online Entertainment

On April 28th, representatives for Sony Online Entertainment — the group behind DC Universe Online and other MMOs — took to the forums to say, "We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons." As we now know, that's not quite the case.

According to the letter, on the afternoon of May 1st, Sony learned about the SOE intrusion by merit of the current investigation. As I've reported before, the information compromised includes 24.6 million SOE accounts (US and international), 12,700 non-US credit cards, and 10,700 direct deposit record (read: bank information) from customers in Austria, Germany, Netherlands and Spain.

Was Anonymous duped?

Sony doesn't get specific as to when the attack first took place with SOE (we heard April 16th and 17th in a press release earlier this week), but it does make a point to mention, "it also discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion.'" Sony goes on to explain the "coordinated denial of service attack" instigated by Anonymous. The company is pretty clear here in saying "one or more cyber criminals gained access to PlayStation Network servers at or around the same time" of the attacks.

The letter says SNEA likely didn't immediately detect the intrusion for several reasons, including the sophistication of the attack and how they hackers exploited a system software vulnerability. It then goes on — and this is where it gets juicy — to suggest the concurrent DDoS attack was possibly an intentional distraction to keep the security teams pre-occupied. I want to quote Sony directly here, because it's a zinger:

"Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that — whether they knew it or not — they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world."

So, is Anonymous being accused? Not really — Sony's pretty clear later that they haven't yet identified who's responsible — but it's quite upfront in saying the famed hacking group might've been hoodwinked into doing someone else's dirty work. Anonymous' attack is nothing if not predictable given Sony's lawsuit against PS3 hacker Geohot.

It's worth noting that by April 16th — when SOE claims the intrusion took place — Anonymous had called off its DDoS altogether and moved on to a real-life Sony protest.

12.3 million credit cards — but so far, so good

The good news, if there is any to take from this, is that so far no major credit card companies are reporting any increase in the number of fraudulent credit card transactions as a result of the attack. Still, as of this letter the company hasn't been able to "conclude with certainty through the forensic analysis done to date" that credit card information wasn't extracted. As for just how many cards were in the system, Sony says 12.3 million million account holders had CC information on file, 5.6 million of that from the US (both active and expired cards). That's just under 16 percent of the entire 77 million accounts compromised.

What's left, what's missing

The rest of the letter covers pretty much what we've already heard over the past week, including the expedited move from the San Diego data center to a new location with enhanced security and the "Welcome Back" program gifting extra PlayStation Plus / Qriocity days and other, yet-to-be-announced gifts.

So, why did it take so long for Sony to come clean on the breach? The original letter from Congress asks the company directly. In response, Sony claims it wasn't until April 25th, six days into the shutdown of PSN, that it knew the scope of the breach. It first mentioned "external intrusion" on April 23rd, and then went into detail on the matter April 26th. In the letter, the company maintains that "announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence." Translation: it's a silly non-answer dragged out over two pages of information on the timeline itself and talk of state statues with "conflicting or inconsistent requirements." But after all this, it's probably the best non-answer we'll get. Read it for yourself:

Sony's letter on the Playstation security breach

1/8