Close
Are you sure? Are you sure you want to report this comment? I understand, report it. Cancel

Sony outlines PlayStation Network revival plans

Sun 01 May 2011 6:12am GMT / 2:12am EDT / 11:12pm PDT
Publishing

Creates security officer position, promises incentives for gamers

At a Tokyo press conference this morning Sony executives apologised for the PlayStation Network outage that has seen the theft of millions of gamers' personal data - possibly even credit cards.

Sony revealed its "Welcome Back" programme designed to reward customers affected by the outage.

Sony will offer "selected PlayStation entertainment content" for free download on a region by region basis. It will announce the content soon.

All existing PSN customers will get 30 days free membership in the PlayStation Plus service. Existing PS+ customers receive 30 days free. Qriocity subscribers receive 30 days free.

Sony promised more Welcome Back "entertainment and services" over the coming weeks as PSN is turned back on. Sony reconfirmed the news that some PSN and Qriocity services will be available this week. Sony will first turn back on gaming, music and video services.

Meanwhile, Sony went into a bit more detail on last week's cyber-attack that rocked the game industry and left personal data tied to 77 million PSN accounts stolen.

Sony has implemented a variety of new security measures to provide greater protection of personal information. Tests have been conducted with third-party security experts to verify the strength of PSN, and the job of Chief Information Security Officer has been created to "add a new position of expertise in and accountability for customer data protection".

The new security measures include:

  • Added automated software monitoring and configuration management to help defend against new attacks.
  • Enhanced levels of data protection and encryption.
  • Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
  • Implementation of additional firewalls.

Sony has come under fire for not encrypting personal data, such as passwords. In the UK the Information Commissioner's Office plans to discuss the security failure with Sony to see whether it was in breach of the Data Protection Act.

But Sony has insisted it encrypted credit card information, and this morning stressed that it has found no evidence "at this time" that credit card data was stolen.

Hirai confirmed the number of exposed credit card numbers was about 10 million. Sony is unsure if those card numbers were actually stolen, and it doesn't know if hackers are trying to use them in fraudulent purchases.

Once PSN comes back online, it will force a system software update that requires all registered PSN users to change their account passwords. The password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry," Sony deputy president Kazuo Hirai said.

"These illegal attacks obviously highlight the widespread problem with cyber-security. We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data. In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks.

"Our global audience of PlayStation Network and Qriocity consumers was disrupted. We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation program for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services."

Sony is working with law enforcement to track down and prosecute the hackers, it said.

18 Comments

Andrew Goodchild
Studying development

1,235 396 0.3
Playstation plus doesn't apply to psp, does it? I only actually signed up to psn a weekor 2 before the breach, so timing was spectacular.

Posted:3 years ago

#1

Curt Sampson
Sofware Developer

596 360 0.6
The article on Joystiq gives some further information on what happened:

<em>Sony guesses that hackers got into the network through an "application server," through which they were then able to get into the database servers and grab data.
...
The vulnerability in the web server was a vulnerability known about that particular type of server, one of the execs on stage said.</em>

So, there we have what appears to be an admission of two major technical failures on Sony's part: they should have been patching their server software to close known vulnerabilities, and the web and application servers should never have had the kind of access to the database that would allow something running on the server to do a bulk download of user data. Further, though they should probably have been using hashed passwords in the first place, the web and application servers should never have had access to the passwords at all. If they're using typical system designs, the only hosts that needed access to all the passwords were the database servers, and the hosts that had access to any passwords at all (those sending password reminder e-mail messages) should never have been running any programs that accept requests from the Internet at all.

Do keep in mind, though, that these technical details may not yet be entirely accurate.

The appointment of a security officer at a very high management level is a very good move. It's almost certain that Sony has the technical expertise to avoid things like this happening, and that it wasn't applied here was entirely a management failure.

Posted:3 years ago

#2

Robert Kelly

38 0 0.0
@Andrew I think there are some offers for discounted PSP games or add on content. Also you get minis which I think can be played on PSP :)

Posted:3 years ago

#3

Miguel Melo
Software Engineer

65 0 0.0
As I mentioned on another thread, freebies go a long way buying my tolerance. I am but a simple man. :)

Posted:3 years ago

#4

Jared Mallia

17 0 0.0
Miguel, I feel the same! Besides credit card details, I don't actually no anyone who used their real address or name when signing up. It seems you were only caught out if you were an idiot. Cancelling a credit card isn't that big of a deal - and besides, PSN is free! Go XBL is you're annoyed!

Posted:3 years ago

#5

Klaus Preisinger
Freelance Writing

1,072 1,007 0.9
30 days of free PSN+ is more advertising than compensation.

Posted:3 years ago

#6

James Steele
Senior Software Engineer

15 17 1.1
The public will flock back to PSN, there's no doubt about that. Freebies can go a long way to buying the good will of people, no matter what sort of inconvenience you've put them through.

But what about developers? What about all those who have probably lost a significant (for them at any rate) of revenue due to the attack, and are most likely wanting some serious answers? It'll be interesting to see how the part nobody seems to be talking about in this whole saga, plays out.

Which is worrying, since this is an industry news site, not a gamers news site.

Posted:3 years ago

#7

Private
Industry

1,176 182 0.2
Well they are not going to openly discuss there plans if any for the developers except directly with the effected parties.

Freebies or not I would still use the PSN, I don`t see a reason why I shouldn`t. My data could get stolen anywhere else by hackers so it`s not like I had the believe my data is secure in the first place.

Posted:3 years ago

#8
And its free

Posted:3 years ago

#9

Ben Hewett
Studying MA Philosophy

40 1 0.0
@ Chee

Why does the fact that PSN is free have any bearing at all on this whole debacle?

Posted:3 years ago

#10

Klaus Preisinger
Freelance Writing

1,072 1,007 0.9
PSN is not free, the users are paying for it with their personal data. Much like a traditional print magazine can leverage its readership and "sell" them to advertisers, Sony can "sell" their 75M audience to create an economic environment to their liking. Such as asking developers for a 30% publishing fee, or demanding developers to pay them money for the "privilege" to create games for this 75M audience.

This system is only possible because Sony forces each and every PSN users to pay something. Even if it is not money from the start, it is at least one e-mail address which then kickstarts the economic chain reaction. To play on PSN I have to give up part of my anonymity and not everybody likes it when it is stolen. For those people it raises the question, if the price they pay for PSN is already too high.

Posted:3 years ago

#11

Private
Industry

1,176 182 0.2
There are plenty of free e-mail services out there that let`s you quickly create a new e-mail with no need to use your real personal information so you don`t have to give up your anonymity.

Posted:3 years ago

#12

David Amirian
Writer

59 3 0.1
you dont have to give anything you dont want to. who is forcing you to give up your anonymity? what a ridiculous argument.

Posted:3 years ago

#13

Klaus Preisinger
Freelance Writing

1,072 1,007 0.9
If you do not give your real name, then good luck trying to recover a password or a purchase if something goes wrong. If hackers deleted the database where Sony tracks which account bought which game, then re-downloading is no longer an option. Trying to recover your account with your real name, when you gave the name Jack Inabox, is also highly problematic. If you bough via anonymous PSN cash card, your problems only grow.

Not giving your name is not problem when you buy a physical medium, or when you download a file which you then fully own. But when you only connect to a service, then you have to be able to re-validate yourself. I can always say that I am Klaus and recover an account registered to that name. But once I give out fake names, anything I buy with these fake names is excruciating to recover.

Posted:3 years ago

#14

Chris Paton

6 0 0.0
Sure who cares anyway? Has this affected ANYONE yet? Have there been any stories of identity theft or credit card fraud? I'm sure we'd have heard something by now. PSN is a great service, free online gaming is great - I've had these features for the past 4 years, so if someone want to go to the bother of stealing the E30 in my account right now, fine.

I don't use an important card for online purchases anyway. There's only ever so much in it and it's a debit account with no overdraft feature, perfect for such an occasion.

Also, if someone has my name, who cares? It's not like I'm going to go change it. Besides, if they REALLY wanted my name, get out a phone book! :)

Posted:3 years ago

#15

Jake Clayton

54 0 0.0
actually chris, theres already been quite a few people involved in credit card fraud since the 16th who used the PSN, just theres currently no evidence yet as to wether their credit card fraud is related to somewhere else or the PSN.

Posted:3 years ago

#16

Stefano Ronchi
Indie Game Developer

50 0 0.0
Will Sony provide a Welcome Back More Stable Gaming Connection and Download Speeds?

Alas poor Yorick, I think not. Shame, it was the perfect opportunity.

Posted:3 years ago

#17

Jim Webb
Executive Editor/Community Director

2,246 2,233 1.0
Curt, I have read (accuracy in question here) that the web servers were running oudated Apache software while Sony claimed all the software was up to date. My question is if they were running the latest Apache, what vulnerability are they talking about? I don't know of any vulnerabilities in 2.2.17 (latest stable version - out for the past 6 months).

Incidentally, it was the previous version of Apache that was known for not protecting against DDoS attacks.

Posted:3 years ago

#18

Login or register to post

Take part in the GamesIndustry community

Register now