Sony outlines PlayStation Network revival plans

Creates security officer position, promises incentives for gamers

At a Tokyo press conference this morning Sony executives apologised for the PlayStation Network outage that has seen the theft of millions of gamers' personal data - possibly even credit cards.

Sony revealed its "Welcome Back" programme designed to reward customers affected by the outage.

Sony will offer "selected PlayStation entertainment content" for free download on a region by region basis. It will announce the content soon.

All existing PSN customers will get 30 days free membership in the PlayStation Plus service. Existing PS+ customers receive 30 days free. Qriocity subscribers receive 30 days free.

Sony promised more Welcome Back "entertainment and services" over the coming weeks as PSN is turned back on. Sony reconfirmed the news that some PSN and Qriocity services will be available this week. Sony will first turn back on gaming, music and video services.

Meanwhile, Sony went into a bit more detail on last week's cyber-attack that rocked the game industry and left personal data tied to 77 million PSN accounts stolen.

Sony has implemented a variety of new security measures to provide greater protection of personal information. Tests have been conducted with third-party security experts to verify the strength of PSN, and the job of Chief Information Security Officer has been created to "add a new position of expertise in and accountability for customer data protection".

The new security measures include:

  • Added automated software monitoring and configuration management to help defend against new attacks.
  • Enhanced levels of data protection and encryption.
  • Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
  • Implementation of additional firewalls.

Sony has come under fire for not encrypting personal data, such as passwords. In the UK the Information Commissioner's Office plans to discuss the security failure with Sony to see whether it was in breach of the Data Protection Act.

But Sony has insisted it encrypted credit card information, and this morning stressed that it has found no evidence "at this time" that credit card data was stolen.

Hirai confirmed the number of exposed credit card numbers was about 10 million. Sony is unsure if those card numbers were actually stolen, and it doesn't know if hackers are trying to use them in fraudulent purchases.

Once PSN comes back online, it will force a system software update that requires all registered PSN users to change their account passwords. The password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry," Sony deputy president Kazuo Hirai said.

"These illegal attacks obviously highlight the widespread problem with cyber-security. We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data. In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks.

"Our global audience of PlayStation Network and Qriocity consumers was disrupted. We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation program for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services."

Sony is working with law enforcement to track down and prosecute the hackers, it said.

More stories

Gaming's lost boys embrace their inner censor | Opinion

The Last of Us 2 attracts reactionary fury for depicting diversity -- and the erstwhile free speech warriors now find themselves cheering for government censorship

By Rob Fahey

The Witcher series surpasses 50m units sold

That's up from 40 million around the same time last year

By Rebekah Valentine

Latest comments (18)

Andrew Goodchild Studying development, Train2Game9 years ago
Playstation plus doesn't apply to psp, does it? I only actually signed up to psn a weekor 2 before the breach, so timing was spectacular.
0Sign inorRegisterto rate and reply
Curt Sampson Sofware Developer 9 years ago
The article on Joystiq gives some further information on what happened:

<em>Sony guesses that hackers got into the network through an "application server," through which they were then able to get into the database servers and grab data.
The vulnerability in the web server was a vulnerability known about that particular type of server, one of the execs on stage said.</em>

So, there we have what appears to be an admission of two major technical failures on Sony's part: they should have been patching their server software to close known vulnerabilities, and the web and application servers should never have had the kind of access to the database that would allow something running on the server to do a bulk download of user data. Further, though they should probably have been using hashed passwords in the first place, the web and application servers should never have had access to the passwords at all. If they're using typical system designs, the only hosts that needed access to all the passwords were the database servers, and the hosts that had access to any passwords at all (those sending password reminder e-mail messages) should never have been running any programs that accept requests from the Internet at all.

Do keep in mind, though, that these technical details may not yet be entirely accurate.

The appointment of a security officer at a very high management level is a very good move. It's almost certain that Sony has the technical expertise to avoid things like this happening, and that it wasn't applied here was entirely a management failure.
0Sign inorRegisterto rate and reply
Robert Kelly9 years ago
@Andrew I think there are some offers for discounted PSP games or add on content. Also you get minis which I think can be played on PSP :)
0Sign inorRegisterto rate and reply
Show all comments (18)
Miguel Melo Principal Software Engineer/Product Manager 9 years ago
As I mentioned on another thread, freebies go a long way buying my tolerance. I am but a simple man. :)
0Sign inorRegisterto rate and reply
Jared Mallia9 years ago
Miguel, I feel the same! Besides credit card details, I don't actually no anyone who used their real address or name when signing up. It seems you were only caught out if you were an idiot. Cancelling a credit card isn't that big of a deal - and besides, PSN is free! Go XBL is you're annoyed!
0Sign inorRegisterto rate and reply
Klaus Preisinger Freelance Writing 9 years ago
30 days of free PSN+ is more advertising than compensation.
0Sign inorRegisterto rate and reply
James Steele Senior Software Engineer, Nintendo of Europe GmbH9 years ago
The public will flock back to PSN, there's no doubt about that. Freebies can go a long way to buying the good will of people, no matter what sort of inconvenience you've put them through.

But what about developers? What about all those who have probably lost a significant (for them at any rate) of revenue due to the attack, and are most likely wanting some serious answers? It'll be interesting to see how the part nobody seems to be talking about in this whole saga, plays out.

Which is worrying, since this is an industry news site, not a gamers news site.
0Sign inorRegisterto rate and reply
Private Industry 9 years ago
Well they are not going to openly discuss there plans if any for the developers except directly with the effected parties.

Freebies or not I would still use the PSN, I don`t see a reason why I shouldn`t. My data could get stolen anywhere else by hackers so it`s not like I had the believe my data is secure in the first place.
0Sign inorRegisterto rate and reply
And its free
0Sign inorRegisterto rate and reply
Ben Hewett Studying MA Philosophy, University of Birmingham9 years ago
@ Chee

Why does the fact that PSN is free have any bearing at all on this whole debacle?
0Sign inorRegisterto rate and reply
Klaus Preisinger Freelance Writing 9 years ago
PSN is not free, the users are paying for it with their personal data. Much like a traditional print magazine can leverage its readership and "sell" them to advertisers, Sony can "sell" their 75M audience to create an economic environment to their liking. Such as asking developers for a 30% publishing fee, or demanding developers to pay them money for the "privilege" to create games for this 75M audience.

This system is only possible because Sony forces each and every PSN users to pay something. Even if it is not money from the start, it is at least one e-mail address which then kickstarts the economic chain reaction. To play on PSN I have to give up part of my anonymity and not everybody likes it when it is stolen. For those people it raises the question, if the price they pay for PSN is already too high.

0Sign inorRegisterto rate and reply
Private Industry 9 years ago
There are plenty of free e-mail services out there that let`s you quickly create a new e-mail with no need to use your real personal information so you don`t have to give up your anonymity.
0Sign inorRegisterto rate and reply
David Amirian Writer 9 years ago
you dont have to give anything you dont want to. who is forcing you to give up your anonymity? what a ridiculous argument.
0Sign inorRegisterto rate and reply
Klaus Preisinger Freelance Writing 9 years ago
If you do not give your real name, then good luck trying to recover a password or a purchase if something goes wrong. If hackers deleted the database where Sony tracks which account bought which game, then re-downloading is no longer an option. Trying to recover your account with your real name, when you gave the name Jack Inabox, is also highly problematic. If you bough via anonymous PSN cash card, your problems only grow.

Not giving your name is not problem when you buy a physical medium, or when you download a file which you then fully own. But when you only connect to a service, then you have to be able to re-validate yourself. I can always say that I am Klaus and recover an account registered to that name. But once I give out fake names, anything I buy with these fake names is excruciating to recover.
0Sign inorRegisterto rate and reply
Chris Paton9 years ago
Sure who cares anyway? Has this affected ANYONE yet? Have there been any stories of identity theft or credit card fraud? I'm sure we'd have heard something by now. PSN is a great service, free online gaming is great - I've had these features for the past 4 years, so if someone want to go to the bother of stealing the E30 in my account right now, fine.

I don't use an important card for online purchases anyway. There's only ever so much in it and it's a debit account with no overdraft feature, perfect for such an occasion.

Also, if someone has my name, who cares? It's not like I'm going to go change it. Besides, if they REALLY wanted my name, get out a phone book! :)
0Sign inorRegisterto rate and reply
Jake Clayton9 years ago
actually chris, theres already been quite a few people involved in credit card fraud since the 16th who used the PSN, just theres currently no evidence yet as to wether their credit card fraud is related to somewhere else or the PSN.
0Sign inorRegisterto rate and reply
Stefano Ronchi Indie Game Developer 9 years ago
Will Sony provide a Welcome Back More Stable Gaming Connection and Download Speeds?

Alas poor Yorick, I think not. Shame, it was the perfect opportunity.
0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.9 years ago
Curt, I have read (accuracy in question here) that the web servers were running oudated Apache software while Sony claimed all the software was up to date. My question is if they were running the latest Apache, what vulnerability are they talking about? I don't know of any vulnerabilities in 2.2.17 (latest stable version - out for the past 6 months).

Incidentally, it was the previous version of Apache that was known for not protecting against DDoS attacks.
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.