Sony PlayStation Network data breach timeline

Sony’s troubles with hackers continues. Reuters has just reported that Sony Ericsson’s Canadian eShop website was shut down by hackers, with personal data stolen from 2,000 more customers.

Earlier this week Sony disclosed that 8,500 Greek user accounts had been compromised and its sites hit in Thailand and Indonesia.  That, of course, follows last month’s granddaddy denial of service attack and theft of personal data for more than 100 million customers of Sony’s PlayStation Network.

Sony CEO Howard Stringer has apologized in a letter to customers and said the company is “working with the FBI and other law enforcement agencies around the world to apprehend those responsible.”

Sony's CEO Stringer

As a rule of thumb, corporations strive to publicly disclose as few details as they can, for as long as they can, about any data breaches they’ve suffered.

Yet the hack of Sony’s PlayStation Network has interestingly emerged as one of the most widely discussed data breaches in recent memory.  Here is an illuminating timeline compiled by vulnerability management firm Lumension that may help you understand why.

Sony PlayStation breach timeline

  • Apr. 20 – PlayStation experiences beginning of network outage
  • Apr. 26 (9:30 a.m. PT) – PlayStation Network outage for 6 days and still no answers available for its customers
  • Apr. 26 (1:00 p.m. PT) – Later that same day, Sony says billing addresses, user names, passwords and possibly credit card info belonging to its PlayStation Network Customers have been stolen
  • Apr. 26 (1:00 p.m. PT) – Later that same day, Sony says billing addresses, user names, passwords and possibly credit card info belonging to its PlayStation Network Customers have been stolen
  • Apr. 27 – News about how unhappy users are with the lack of information from Sony continues to run rampant and Sony is sued.
  • Apr. 28 – A database of 2.2 million Sony customer credit cards is offered for sale on an underground Internet forum
  • Apr. 29 – Government officials question what Sony is doing and how they will make things right with customers
  • Apr. 30 – Sony PlayStation Network services announced they will be up and running later in the week and customers will get a free 30-day service and theft protection monitoring service
  • May 2 – The PlayStation breach extends to Sony Online Entertainment
  • May 4 – Reports surface about Anonymous’ potential involvement in the hack, but they deny it
  • May 5 – NY attorney general subpoenas Sony and the same day the CEO offers the first apology and explanation for what may have happened
  • May 6 – According to reports, a security expert testifies to a House subcommittee that Sony knew it was in possession of outdated security software
  • May 7 – Sony says the PlayStation network might not be up and running as quickly as they thought due to more testing needed
  • May 12 – Sony announces “perks” post-breach
  • May 14 – Sony begins relaunch of PlayStation Network in stages
  • May 16 – Japan’s government announces they are waiting for better security measures from Sony
  • May 25 – Sony discloses compromise of  8,500 Greek user accounts  and its sites hit in Thailand and Indonesia.
  • May 27 – Sony discloses shut down and data loss from Sony Ericsson’s Canada website; data for 2,000 people, including names, email addresses and encrypted password, appear on The Hacker News web site.

Q & A with Paul Henry, Lumension security and forensic analyst

LW: What is a plausible scenario for how the Sony breach occurred?


Henry: It was initially a DDoS attack by Anonymous that failed as Sony contracted with Prolexic for DDoS defense. From the ICQ messages I have seen Anonymous knew the DDoS attacks were failing by simply looking at a trace-route for Sony traffic as the attack waned …. they were able to determine Prolexic had been engaged and had previously successfully defended multiple other Anonymous targets.

One of the last ICQ messages I read noted that Anonymous recognized the failure of the DDoS attacks and all on the ICQ chat knew they had to change tactics. It seems logical that the new tactic was a direct assault against Sony’s servers – some thing that Anonymous recently denied they were involved in, but later a rumor was circulating that a “fringe” group from Anonymous had actually done the subsequent penetration of the Sony network.

We have no hard data from Sony, but rumor has it the servers that were breached were running an old un-patched version of Apache on top of an old un-patched version of RedHat and were facing the public Internet without a firewall. This seems like it could very well have been the case because if they had a firewall and other traditional defenses in place their would have been logs that could have allowed Sony to answer the question as to whether credit card number had actually been removed from the network or not – something that they could not definitively answer.

LW: Why have data thieves begun to go after targets like Sony and Epsilon?

Henry: Sony was more of a hactivist action whereby allegedly Anonymous went after them originally because (revenge) of the legal action Sony took against the PlayStation Hacker – George Holtz. Once Anonymous or for that matter whoever it was that entered the Sony network realized that Sony had no formable defenses on their network it seems the gloves came off and they simply took revenge by plundering their environment at will.

As for Epsilon there was no hactivist motivation noted on the typical ICQ servers after the attack so I think it is safe to assume they were a target simply because of their lack of meaningful defenses.

LW: Do you expect this trend to accelerate?

Henry: Hactivism by individuals will accelerate and the next logical evolution will be State Sponsored Hactivism. We have already seen the rise of State Sponsored hacking related to intelligence gathering i.e Google Hack, etc hence States already know hacking is an effective tool to be used today and one can only expect States to support hactivist’s to drive their messages to their adversaries.

LW: What are the short term and longer term implications for companies and consumers?

Henry: Short term – it means that it is not only the intellectual property or PII you store that makes you a target – today anyone is a target if for no other reason then your political view. The bottom line is that the first to fall will be those environments that failed to exercise reasonable risk management and chose either minimal security or at best the use of yesterday’s obsolete signature based defenses i.e traditional AV, IDS & IPS.

Long term – the writing is on the wall;  we are entering an age where as a public company how well your information is protected is clearly going to be reflected in the value of your publicly traded shares.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone