PlayStation Network hack or how 77 million players saw their information leaked
On 20 april 2011, PlayStation was forced to shut down its servers and therefore to temporarily close its online service, due to a cyberattack that took place from April 17 to 19 2011.
In 2007, the Playstation 3 was released in Europe, this console, heralded as the future of video games, incorporates many new features such as a CELL processor, a BLU-RAY player but also an online service called PlayStation Network, or PSN.
In April 2011, no fewer than 50 millions PS3 consoles had been sold worldwide, and 77 millions PSN accounts created on these consoles.
This online service made it possible to play online but also to chat and enjoy services such as video or audio streaming.
But, in April 2011, on April 20 exactly, PlayStation was forced to shut down its servers and therefore to temporarily close its online service, due to a cyberattack that took place from April 17 to 19.
The precedents of PSN hacks
Before explaining this breakdown and hacking, it is important to know that Sony’s servers are not the first to be hacked and attacked.
In May 2009, a software called Open Remote Play made it possible to use the functionalities of the PlayStation 3 from a computer via the remote play function, while this is officially not possible.
In March 2010, Sony had to update its operating system because hackers managed to put Linux on the console.
In December 2010, a new security flaw appeared in the security of the PS3 at the level of the application signing keys. Hackers, called Fail0verFlow, discovered that a normally random number m was used constantly. Under these conditions, it was enough for this team of hackers to develop an algorithm to go back to the source and discover the keys. Thanks to these public and private keys, the hackers were able to replace the revocation list (when a key is public, it is revoked so that it can no longer be used) with a new list exceeding the normal size and causing an OverFlow (buffer overflow) during console launch at the NOR Flash level, allowing full access to the PS3 system.
January 2, 2011, a hacker, named George Hotz, managed to jailbreak an OS by installing unapproved third-party applications, the next day, George Hotz begins to distribute the jailbreak on his site.
On January 11, 2011, following this distribution, Sony decided to file a complaint against George Hotz. At the beginning of April, the Anonymous group attacked Sony’s servers to protest against this complaint. On April 11, 2011, it was revealed that Hotz and Sony had reached an out-of-court settlement. This included a permanent injunction against Hotz for any pirating work on all Sony’s products.
Between April 17 and 19 of that same year, the PlayStation Network suffered from an unprecedented attack, an external intrusion that would cause major problems.
The breakdown and the silence of Sony
The external intrusion, which took place between April 17 and 19, 2011, led to a PSN’s outage. Indeed, users trying to connect to the online service on the PS3 received an alert message stating “under maintenance”. On April 20, gamers were unaware that Sony’s servers were attacked. Sony communicated, via the official PlayStation blog, that they were “aware that certain PlayStation Network features” were down.
On April 21, 2011, Sony asked players to be patient and that online functionalities would return within 2-3 days, and claimed that no data was leaked, banking or not.
However, the following April 26, a week after the servers were shut down, Sony contradicted itself and stated that it “did not rule out a possible” potential data leak. Sony has acknowledged the “compromising of personal information as a result of unlawful intrusion into our systems”. This leak includes :
- Username
- Password
- Email address
- Mailing address
- Credit card datas
On May 1, 2011, the servers were still not back, but Sony announced the “Welcome Back” program announcing that services would return the week following May 1.
Official statement and revelations
On May 2, 2011, Sony finally decides, after two weeks of server shutdown, to issue an official press release announcing that the online servers have been taken offline for maintenance due to activities potentially related to criminal hacking.
Sony also indicates that more than 12,000 encrypted non-US credit card numbers and 24.7 millions accounts were accessed and recovered by hackers.
During this week, Sony sent a letter to the US House of Representatives, responding to questions and concerns about the event. In the letter, Sony said it would provide identity theft insurance policies in the amount of $1 million per user of PlayStation Network services, although there were no reports of credit card fraud.
On May 4, 2011, Sony acknowledge that it had been aware of the PlayStation Network’s sensitivity but had paid no real attention to it. Shinji Hasejima explains that “the vulnerability of the network was known, one of the best known in the world. But Sony wasn’t sensitive enough… wasn’t convinced. We are now trying to improve it”. Professor Gene Spafford, from Purdue University, reveals that Sony was using outdated versions of software and that its servers were not protected by a firewall. Sony completely denies these accusations.
Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada and Avner Levin of Ryerson University have strongly criticized Sony for questioning how it secures user data. Eugene Lapidous called the cyberattack “hard to excuse” and Chester Wisniewski called it “an act of hubris or just blatant incompetence.”
It is important to check the vulnerability of an information system, for this, it is recommended to do intrusion tests of the entire system to detect flaws before it is too late.
The re-opening of the servers, 23 days later
On May 6, 2011, the servers were still not operational but Sony stated that they had begun the “final stages of internal testing” for the PlayStation Network, which had been rebuilt.
The British news agency, Reuters, titled the attack as “the biggest cyber security breach ever”.
A Sony spokesperson said :
- Sony had deleted the stolen personal datas of 2,500 people
- Data included names and some addresses
- No date had been set for the restart
On May 14, various services began to come back online country by country, starting with the United States. These services included:
- connection to PSN services (with the obligation to reset the password)
- Online play on PS3 and PSP
- playback of rented video content
- Music Unlimited service
- access to third-party services (such as Netflix or Hulu)
- friends list
- chat functionality
- PlayStation Home
On May 18, Sony was forced to urgently shut down the password reset page on its site following the discovery of another exploit that allowed users to reset other user’s passwords, using the other user’s email address and date of birth.
The Consequences
During the press conference on May 1, Sony announced the “Welcome Back” plan, this compensation plan announced free games. Sony compensated the players, in exchange for a possible complaint against them, by offering:
- 2 PS3 games from a list of 5 games
- 2 PSP games from a list of 4 games
- 30 days free to PlayStation Plus (the paid subscription of Playstation)
- Free protection against data theft for one year
On May 23, Sony said breakdown costs totaled $171 million.
During the entire breakdown, Sony shares fell 8% on the Tokyo Stock Exchange.
Many governments have launched investigations against the Japanese giant. The ICO (Information Commissioner’s Office) in England found Sony guilty of data protection breaches and Sony had to pay £250,000.
Sony had been asked to testify in front of the US Congress on computer security and answer questions about the cyberattack they suffered, but Sony decided to send only a written response instead.
A lawsuit was posted on April 27 by Kristopher Johns of Birmingham, on behalf of all PlayStation users, alleging that Sony “failed to encrypt the data and establish adequate firewalls to handle a contingency server intrusion, failed to provide prompt and adequate warnings of security vulnerabilities, and unreasonably delayed bringing the PSN service back online.”
In the United States, not less than 55 class actions have been launched against Sony. A Canadian lawsuit against Sony USA, Sony Canada and Sony Japan claimed damages of up to 1 billion canadian dollars.
In October 2012, a California judge dismissed a lawsuit against Sony for breaching PSN security, ruling that Sony had not violated California consumer protection laws, citing “there is no security perfect”.
On September 15, 2011, the terms and conditions of use were changed, these changes were motivated by the numerous actions incurred against Sony and these new conditions now protect them more from possible attacks thereafter, and make users waive their right to sue Sony.
This case, called the PSNGate, is now listed as one of the most important cyber-attacks of the past 20 years.
Sony lost a lot in this case, both financially and in terms of reputation. Their IT security was clearly inadequate and the Japanese giant rested too much on these laurels by feeling untouchable.
Officially, no identified person has been arrested or convicted in this PSN’s, which has been closed for 23 days.
