2011 PlayStation Network outage

Date

In 2011, the PlayStation Network experienced an outage, often called the PSN Hack. This happened because hackers broke into Sony's PlayStation Network and Qriocity services. They stole personal information from about 77 million accounts.

In 2011, the PlayStation Network experienced an outage, often called the PSN Hack. This happened because hackers broke into Sony's PlayStation Network and Qriocity services. They stole personal information from about 77 million accounts. This made it impossible for users of PlayStation 3 and PlayStation Portable consoles to use the service. The attack happened from April 17 to April 19, 2011. Sony had to shut down the PlayStation Network servers on April 20. The service was unavailable for 24 days. Officials from many countries were worried about the stolen information. They were also concerned that Sony waited one week before telling users about the problem. The breach exposed personal information, such as usernames, addresses, email addresses, birth dates, passwords, and financial details like credit and debit card numbers.

Extent of the breach

Personal information from about 77 million accounts was stolen, and this stopped users of PlayStation 3 and PlayStation Portable consoles from using the service.

Credit card information was protected with encryption, but Sony said that other user details were not protected with encryption at the time of the attack. The Daily Telegraph reported, "If a company keeps passwords without encryption, it is easy for others—not just outside attackers, but also employees or workers at Sony—to access and use those passwords for harmful purposes." On May 2, Sony explained that passwords were not encrypted.

About a week after the service interruption, Sony said it "cannot rule out the possibility" that personal information, such as PlayStation Network usernames, passwords, home addresses, and email addresses, might have been stolen. Sony also mentioned the possibility that credit card data was taken, even though it claimed encryption was used on the databases. This would partially meet requirements for securely storing credit card information on a server. After the official blog post and email announcement, users were told to check their bank statements carefully to protect credit card transactions. This warning came nearly a week after the initial "external intrusion" while the network was offline.

At the time of the outage, with 77 million registered PlayStation Network accounts, the event was not only one of the largest data security breaches but also the longest PlayStation Network outage in history. It was bigger than the 2007 TJX hack, which affected 45 million customers.

In 2012, The Guardian wrote:

Timeline of the outage

Sony said on the PlayStation Blog that it knew some parts of the PlayStation Network were not working. When users tried to log in using PlayStation 3 devices, they saw a message saying the network was being fixed. The next day, Sony asked customers to be patient while they looked into the problem and said it might take one or two days to fix the service completely. Sony stopped all PlayStation Network and Qriocity services worldwide.

Most games could still be played in offline mode, but the PlayStation 3 could not play some Capcom games at all. Streaming services like Hulu, Vudu, Netflix, and LoveFilm showed the same message about maintenance. Some users said they could still use Netflix, but others could not.

Sony said an outside attack had affected the PlayStation Network and Qriocity services.

Sony apologized for the downtime and said fixing the system was a difficult task, but it would make the network stronger and more secure.

A Sony representative named Patrick Seybold said on the PlayStation Blog that repairing and improving the network would take a long time, and there was no estimate for how long it would take. However, the next day, Sony said there was a clear plan to bring the PlayStation Network and Qriocity services back online, with some services expected to return within a week. Sony also said that personal information had been stolen due to the attack.

On April 26, 2011, Sony explained on the PlayStation Blog why it took so long to tell users about the data theft.

On April 27, Sony said in a blog post that it was working with law enforcement and a security company to investigate the attack. Sony called the attack a criminal act and said it was working hard to find those responsible.

Sony announced a "Welcome Back" program for customers affected by the outage. The company also said some PlayStation Network and Qriocity services would be available during the first week of May.

Sony said in a press release that Sony Online Entertainment (SOE) services had been taken offline for maintenance because of activities linked to the initial attack. Over 12,000 credit card numbers (in encrypted form) from non-U.S. cardholders and information from 24.7 million SOE accounts may have been accessed.

During the week, Sony sent a letter to the U.S. House of Representatives, answering questions about the event. Sony said it would offer Identity Theft insurance policies worth $1 million per user of PlayStation Network and Qriocity services, even though no credit card fraud had been reported. This was later confirmed on the PlayStation Blog, where it was announced that the service, AllClear ID Plus powered by Debix, would be free for 12 months in the U.S. and include Internet monitoring, identity repair, and $1 million in identity theft insurance per user.

Sony Computer Entertainment CEO Kazuo Hirai said the "external intrusion" that caused the PlayStation Network shutdown was a "criminal cyber attack." He added that Sony systems had been under attack for about a month and a half before the outage, suggesting a planned effort to target Sony.

On May 3, Sony said in a press release that the attack on April 16 might be connected to another attack on May 2 that affected Sony Online Entertainment. This attack stole information from 24.6 million SOE account holders, including 12,700 credit card numbers (mostly from non-U.S. residents). Sony later said only 900 of those cards were still valid. The attack caused SOE servers and Facebook games to shut down. SOE gave users 30 days of free time, plus one day for each day the servers were down, for several games, along with other compensation.

Sony added Data Forte to the investigation team working with Guidance Software and Protiviti to analyze the attacks. Legal matters were handled by Baker & McKenzie. Sony believed a group called Anonymous might have been involved in the attack, but no members of the group claimed responsibility.

Sony said it had completed the final steps of testing the rebuilt PlayStation Network. However, the next day, Sony said it could not bring services back online within the one-week timeframe given on May 1 because the full extent of the attack on SOE servers was not known at the time. SOE confirmed on Twitter that their games would not be available until after the weekend.

Reuters reported the event as "the biggest Internet security break-in ever." A Sony spokesperson said:

  • Sony had removed the personal details of 2,500 people stolen by hackers and posted online.
  • The data included names and some addresses from a database created in 2001.
  • No date had been set for when services would restart.

Various services began returning online in different countries, starting with North America. These included: sign-in for PlayStation Network and Qriocity services (including password resets), online gameplay on PlayStation 3 and PSP, playback of rented videos, Music Unlimited service (on PlayStation 3 and PC), access to third-party services like Netflix, Hulu, Vudu, and MLB.tv, friends lists, chat features, and PlayStation Home. A firmware update for the PlayStation 3, version 3.61, was also released. As of May 15, services in Japan and East Asia had not yet been approved.

Sony shut down the password reset page on its website after finding a new problem that allowed users to reset other users’ passwords using their email address and date of birth. Sign-in using PlayStation Network details to other Sony websites was also disabled, but console sign-ins were not affected.

Sony said the outage cost $171 million.

Reaction

Graham Cluley, a senior technology consultant at Sophos, stated that the breach "certainly ranks as one of the biggest data losses ever to affect individuals."

Security experts Eugene Lapidous of AnchorFree, Chester Wisniewski of Sophos Canada, and Avner Levin of Ryerson University (now Toronto Metropolitan University) criticized Sony for its handling of user data. Lapidous called the breach "difficult to excuse," and Wisniewski described it as "an act of hubris or simply gross incompetence."

US Senator Richard Blumenthal of Connecticut asked Sony for answers about the data breach by emailing SCEA CEO Jack Tretton. He criticized the delay in informing customers and urged Sony to provide more support than just free credit reporting services. Blumenthal later requested an investigation by the US Department of Justice to identify those responsible and determine if Sony was legally responsible for its actions.

Congresswoman Mary Bono Mack and Congressman G. K. Butterfield sent a letter to Sony, asking when the breach was discovered and how the company would address the crisis.

Canada’s Privacy Commissioner, Jennifer Stoddart, confirmed that Canadian authorities would investigate the breach. Her office expressed concern about why Canadian officials were not informed earlier about the security issue.

After a formal investigation into Sony’s violations of the UK’s Data Protection Act 1998, the Information Commissioner’s Office fined Sony £250,000 ($395,000) and criticized the company’s weak security measures.

On April 27, Kristopher Johns from Birmingham, Alabama, filed a lawsuit on behalf of all PlayStation users. The lawsuit claimed Sony failed to encrypt data, set up proper firewalls, warn customers about security breaches, and restore the PSN service quickly. The complaint also stated Sony did not inform users about a possible breach or the storage of credit card information, which violated PCI Compliance—the security standard for the Payment Card Industry.

A Canadian lawsuit against Sony USA, Sony Canada, and Sony Japan sought up to C$1 billion in damages, including free credit monitoring and identity theft insurance. The plaintiff said, "If you can't trust a huge multi-national corporation like Sony to protect your private information, who can you trust? It appears to me that Sony focuses more on protecting its games than its PlayStation users."

In October 2012, a California judge dismissed a lawsuit against Sony over the PSN security breach, ruling that Sony had not broken California’s consumer-protection laws, stating, "there is no such thing as perfect security."

On May 1, Sony held a press conference in Tokyo and announced a "Welcome Back" program. The program included free PlayStation Plus memberships for 30 days for all PSN members, with existing members receiving an extra 30 days. Qriocity subscribers also received 30 days of free service. Sony promised additional content and services in the coming weeks.

Hulu compensated PlayStation 3 users for the outage by offering one week of free Hulu Plus service.

On May 16, 2011, Sony announced that two PlayStation 3 games and two PSP games would be given for free from lists of five and four, respectively. The available games varied by region and were only available in countries that had access to the PlayStation Store before the outage. On May 27, Sony announced the "welcome back" package for Japan and the Asia region (Hong Kong, Singapore, Malaysia, Thailand, and Indonesia). In the Asia region, a free theme called "Dokodemo Issyo Spring Theme" was added to the package.

^† Five PSP games were offered in the Japanese market.

^‡ The version of Killzone Liberation offered did not include online gameplay functionality.

Some users reported credit card fraud, but these cases had not yet been linked to the incident. Sony stated that the CSC codes used by their services were not stored, but hackers may have decrypted or recorded credit card details while inside Sony’s network.

On May 5, a letter from Sony Corporation of America CEO and President Sir Howard Stringer said there was no evidence of credit card fraud and that a $1 million identity theft insurance policy would be available to PSN and Qriocity users.

Sony PlayStation controversies during a similar timeframe

In March 2010, Sony released a software update for the PlayStation 3 that prevented users from installing other operating systems, such as Linux. This change caused strong criticism from the modding community.

On January 2, 2011, George Hotz, also known as Geohot, successfully jailbroke the PS3 firmware and shared the method online soon after. In response, Sony filed a lawsuit against Hotz on January 11, 2011, for his actions.

On April 2, 2011, the hacker group Anonymous began "Operation Sony" as a protest. By April 11, Sony reached a settlement in the lawsuit with Hotz. On April 13, Anonymous encouraged a public protest against Sony.

More
articles

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by