So-net hack adds to the list of hacks and data leakages from Sony

According to a WallStreet report, So-net Entertainment Corp, an Internet service provider subsidiary of Sony Corp., said an online intruder accessed its customer rewards site earlier this week and stole customers’ redeemable gift points worth about $1,225.

Sony’s infamous hack on online gaming networks including PlayStation Network and Sony Online Entertainment has already become one of the biggest ever hacks ever. The latest hack is the only hack that has a direct financial component attached to it. The previous hacks that brought down PSN around 19th of April and impacted over 100 million users resulted in the outages of the two gaming networks for nearly a month and exposed user credit card details. However, there are no reports yet on any misuse of that data.

Security experts said there were not surprised the electronics company has yet to clean up weaknesses in its massive global network. Earlier this week, Sony shut down one of its websites set up to help millions of users change their passwords after finding a security flaw.

As for whether this latest hack is related, So-net’s Keisuke Watabe said, “Although we can’t completely rule out the possibility that there is a connection with the PSN issue, the likelihood is low.”

So-net sent a warning to its members yesterday saying that someone had tried to log in to the rewards site 10,000 times from the same IP address, and that the company thought the hacker might have had members’ usernames but no passwords. Therefore, he or she repeatedly tried automatically generated passwords until they worked.

When the dust settled, rewards points from 128 accounts with a total worth of just over $1,200 were redeemed. The Journal says that 73 additional accounts were accessed but had no points taken, and 90 So-net e-mail accounts were compromised as well. So-net claims that “there is no evidence that any personal data such as names, addresses, birth dates or phone numbers were viewed,” reports the Journal.

It’s becoming increasingly clear that Sony may have a company-wide security problem on its hands. It took Sony an eternity to get the PlayStation Network back up and running, but it didn’t take long before people noticed a vulnerability in the PSN’s login system. Sony’s response was to point out that the security hole was simply a vulnerability, not an actual hack.

F-Secure  also noted that a phishing site “targeting an Italian credit card company” was found on one of Sony’s servers in Thailand. “Basically this means that Sony has been hacked, again,” says F-Secure’s post, which continues, “Although in this case the server is probably not very important.”

Sony has already accepted that it didn’t even have a Chief Information Security Officer and is NOW trying to create that position. That clearly shows the callous approach Sony has been taking towards security so far.

Sony PSN restoration faces a glitch

After much delay and promises of ‘quick restoration’ of its PlayStation Network Services, Sony finally started restoring the online gaming platform on Sunday. However, in less than into the restoration process, Sony faced a major glitch.

Sony announced Sunday that PSN users can start updating the firmware on their PS3 and will be able to change their password when PSN services are restored in their respective countries. Kazuo Hirai just announced that Sony has begun the phased restoration by region of some of the services, starting with online multiplayer functionality.

However, according to Sony’s blog on Monday, some of the users have mentioned that they have not received their password reset emails. With the huge number of people coming back online at the same time and resetting their passwords, it is creating significant email traffic to ISPs. The consequence is that some of the ISPs are throttling the emails.

Sony says it is currently trying to resolve this, but in the meantime asking users to remain patient and refrain from submitting multiple requests.

Here’s the latest update on the restoration process from Sony:

Update:
We’re currently experiencing an extremely heavy load of password resets, so we recently had to turn off services for approximately 30 minutes to clear the queue.

If you’ve requested your password reset, please give it a bit of time to reach your email.

Sony offers $1 million identity theft insurance policy for users affected with PSN hack

Last weekend, Sony Computer Entertainment announced that it will provide complimentary enrollment in an identity theft protection program. Here are the details of this program for PlayStation Network and Qriocity account holders in the United States only. Sony said it is working to make similar programs available in other countries/territories where applicable.

Sony has made arrangements with Debix Inc., an identity protection firm, to offer AllClear ID Plus at no cost to PlayStation Network and Qriocity account holders for 12 months from the time an account holder registers for the program.

Sony will start sending out activation emails for this program over the next few days, and users in US will have until June 18th to sign-up and redeem their code. Users will need to sign up directly through AllClearID, not on Sony’s websites, and details, including step-by-step instructions for the program, will be emailed to United States PSN and Qriocity Account holders soon.

The details of the program include:

• Cyber monitoring and surveillance of the Internet to detect exposure of an AllClear ID Plus customer’s personal information, including monitoring of criminal web sites and data recovered by law enforcement. If his/her personal information is found, the customer will be alerted by phone and/or email and will be provided advice and support regarding protective steps to take. The customer will also receive monthly identity status reports. Debix works with an alliance of cyber-crime experts from the government, academia and industry to provide these services.
• Priority access to licensed private investigators and identity restoration specialists. If an AllClear ID Plus customer receives an alert, or otherwise suspects that he/she may be the victim of identity theft, the customer can speak directly, on a priority basis, with an on-staff licensed private investigator, who will conduct a comprehensive inquiry. In the case of an identity theft, the customer can work with an identity restoration specialist to contact creditors and others, and take necessary steps to restore the customer’s identity.
• A $1 million identity theft insurance policy per user to provide additional protection in the event that an AllClear ID Plus customer becomes a victim of identity theft. This insurance would provide financial relief of up to $1 million for covered identity restoration costs, legal defense expenses, and lost wages that occur within 12 months after the stolen identity event.

Another 25 million users’ data stolen in the second Sony hack

Sony has disclosed that hackers stole the names, addresses and passwords of nearly 25 million more users than previously known less than a day after the Japanese company apologized for one of the worst break-ins in Internet history.

On Sunday, Sony apologized to its users for the incident that was initially thought to have impacted close to 77 million Sony PlayStation users. Sony also announced a compensation package for the users with multiple freebies for its users. According to Reuters, the Japanese electronics company said it discovered the break-in of its Sony Online Entertainment PC games network also led to the theft of 10,700 direct debit records from customers in Austria, Germany, the Netherlands and Spain and 12,700 non-U.S. credit or debit card numbers.

Sony said late Monday that the names, addresses, emails, birth dates phone numbers and other information from 24.6 million PC games customers was stolen from its servers as well as an “outdated database” from 2007. However, Sony denied on its official PlayStation blog on Monday that hackers had tried to sell it a list of millions of credit card numbers.

The April incident has sparked legal action and investigations by authorities in North America and Europe, home to almost 90 percent of the users of the network, which enables gamers to download software and compete with other members.

On Monday, Sony declined to testify in person in front of a U.S. congressional hearing, but agreed to respond to questions on how consumer private data is protected by businesses in a letter on Tuesday, said a spokesman for Rep. Mary Bono Mack, a Republican Congresswoman from California, who is leading the hearing.

The incident that Sony disclosed on Monday also forced it to suspend its Sony Online Entertainment games on Facebook. Sony posted a message on Facebook saying it had to take down the games during the night. A Sony spokesman said the Facebook games make money from microtransactions and the sale of virtual goods like costumes and weapons.

It was not immediately clear if the data theft included data from players of Sony games including “PoxNora,” “Dungeon Overlord,” “Wildlife Refuge” on Facebook.

Sony details compensation for PSN users, plans services restoration

Sony is expected to begin a phased restoration by region of PlayStationNetwork and Qriocity services, beginning with gaming, music and video services to be turned on. The company today announced both a series of immediate steps to enhance security across the network and a new customer appreciation program, filled with freebies to ‘thank its customers’ for their patience and loyalty.

Following a criminal cyber-attack on the company’s data-center located in San Diego, California, U.S.A., Sony quickly turned off the PSN and Qriocity services, engaged multiple expert information security firms over the course of several days and conducted an extensive audit of the system. Since then, the company has implemented a variety of new security measures to provide greater protection of personal information. SNEI and its third-party experts have conducted extensive tests to verify the security strength of the PlayStation Network and Qriocity services. With these measures in place, SCE and SNEI plan to start a phased rollout by region of the services shortly. The initial phase of the rollout will include the following:

• Restoration of Online game-play across the PlayStation3 (PS3) and PSP (PlayStation®Portable) systems
• This includes titles requiring online verification and downloaded games
• Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
• Access to account management and password reset
• Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
• PlayStationHome
• Friends List
• Chat Functionality

Working closely with several outside security firms, the company has implemented significant security measures to further detect unauthorized activity and provide consumers with greater protection of their personal information. The company is also creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of Sony Corporation, to add a new position of expertise in and accountability for customer data protection and supplement existing information security personnel. The new security measures implemented include, but are not limited to, the following:

• Added automated software monitoring and configuration management to help defend against new attacks
• Enhanced levels of data protection and encryption
• Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
• Implementation of additional firewalls

The company also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months. In addition, PS3 will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data.

The company is conducting a thorough and on-going investigation and working with law enforcement to track down and prosecute those responsible for the illegal intrusion.

“This criminal act against our network had a significant impact not only on our consumers, but our entire industry. These illegal attacks obviously highlight the widespread problem with cyber-security. We take the security of our consumers’ information very seriously and are committed to helping our consumers protect their personal data. In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks,” said Kazuo Hirai, Executive Deputy President, Sony Corporation. “Our global audience of PlayStation Network and Qriocity consumers was disrupted. We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation program for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services.”

The freebies

Sony will also rollout the PlayStation Network and Qriocity “Welcome Back” program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company’s appreciation for their patience, support and continued loyalty.

• Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
• All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
• Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.

Additional “Welcome Back” entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.

Sony will continue to reinforce and verify security for transactions before resuming the PlayStationStore and other Qriocity operations, scheduled for this month.

Sony hints at compensation as hackers start selling credit card data for $100,000

According to NewYork Times report, security researchers have said that they had seen discussions on underground Internet forums indicating that the hackers who infiltrated the Sony PlayStation Network last week may have made off with the credit card numbers of Sony customers. Sony has already accepted the breach in its networks and a possibility of credit card data being stolen with it.

The comments indicated that the hackers had a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers, the researchers said. Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.

While these are good enough reasons for any PSN user to be worried at the moment (making Sony’s infamous hack the fourth largest ever reported), Sony is trying to pacify the users’ ire by hinting at a compensation package.

To thank players for their patience, Sony will be hosting special events across its game portfolio. Sony is also working on a “make good” plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums.

“We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online,” Sony said in a statement.

Whether this would pacify the users or not would actually depend on what exactly Sony comes up with as a compensation plan. The Japanese major is already losing its highly loyal users to Microsoft’s Xbox due to this prolonged outage of PSN.

Meanwhile, Sony is also working on a new system software update that will require all users to change their password once PlayStation Network is restored. Sony is expected to provide more details about the new update very soon.

Sony PlayStation Hack is the Fourth Largest Hack in History

Last week’s hack on Sony’s PlayStation Network has been listed as the fourth largest data breach ever in history, exposing the personally identifiable information (PII) and possibly credit card data of about 70 million users, according to DataLossdb, an open source foundation that monitors data breaches across the world.

IT security firm, Sophos, is warning users of Sony’s PlayStation Network that they are at risk of identity theft after hackers broke into the system and accessed the personal data of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the online gamers’ personal information.  According to Sophos, users should take immediate action to ensure that their online identities are secure, and that fraudsters cannot take advantage of stolen credit card information.

Sony is yet to provide the exact details of the attack and says it is still unsure if the credit card details were breached but at the same time says it doesn’t rule out the possibility that your credit card details could already be in the hands of the attackers.

“If you’re a user of Sony’s PlayStation Network, now isn’t the time to sit back on your sofa and do nothing.  The fraudsters won’t wait around – for them this is a treasure trove ripe for exploiting. You need to act now to minimize the chances that your identity and bank account become casualties following this hack,” said Graham Cluley, Senior Technology Consultant at Sophos.  “That means, changing your online passwords (especially if you use the same password on other sites), and considering whether it would be prudent to inform your bank that as far as you’re concerned your credit card is now compromised.”

Sony has warned that hackers have been able to access a variety of personal information belonging to users including:

• Name
• Address (city, state, pin code)
• Country
• Email address
• Date of birth
• PlayStation Network/Priority password and login
• Handle/PSN online ID

In addition, Sony warns that profile information – such as history of past purchases and billing addresses, as well as “secret answers” given to Sony for password security may also have been obtained.  Sony also admits that it cannot rule out the possibility that credit card information may also have been compromised.

“The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is very disturbing,” continued Cluley.  “If Sony loses your credit card information, it’s no different from you losing your credit card – you should cancel that card immediately.  Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.  All in all, this is a PR and security disaster for Sony.”

Sony accepts users’ personal data breached in PSN hack

With millions of gamers affected with Sony PlayStation outage, Sony says it might take another week to bring back its networks. However, this isn’t the bigger issue at the moment. What’s alarming for the millions of PlayStation users is that amidst the rumors that admin accounts were breached in the attack on Sony, the company has warned that your personal data might be in the hands of hackers already as Sony finally accepts a major breach in its network.

According to a letter written to its users, Sony says, “Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”

If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, Sony says it cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution Sony advises that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, users are encouraged to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, Sony says it strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, it is strongly recommended that you change them, as well.

“To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports,” Sony says.

Sony PSN outage update: Day 6

There seems to be no end to the Sony PlayStation outage. While Sony has announced that its systems were hacked post which the company had to bring down PSN servers, there are now raising privacy concerns over the personal contact details and credit card information of PS3 users, which was stored on PSN servers.

Satoshi Fukuoka, a spokesman for Sony Computer Entertainment in Tokyo, spoke with PCWorld and claimed the company “has not yet determined if the personal information or credit card numbers of users have been compromised, but that Sony would promptly inform users if it found that was the case.”

Luckily, Sony’s Patrick Seybold has yet another update to let us all know that Sony doesn’t have much of a clue about when this mess will get fixed. “Unfortunately, I don’t have an update or timeframe to share at this point in time,” he wrote. “As we previously noted, this is a time intensive process and we’re working to get them back online quickly. Will keep you updated with information as it becomes available. We once again thank you for your patience.”

According to the last update from Sony PSN Europe:

I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time. As we previously noted, this is a time intensive process and we’re working to get them back online quickly. Will keep you updated with information as it becomes available. We once again thank you for your patience.

I think Sony has already tested the patience of its users quite a lot and its high time it openly talks about the issue or rather do something concrete to bring back PSN to life.

Admin accounts breached in the attack on Sony PSN

After a long lazy weekend that was practically wasted because of an attack on Sony PlayStation Network, bringing down PSN to a complete halt, gamers woke up Monday morning with a ray of hope that Sony for sure would’ve fixed PSN by now. To their dismay, PSN is still down, even after 5 days of outage and there is more bad news.

According to a source with close connections to Sony Computer Entertainment Europe, the attack to the PlayStation Network may be a bit deeper than originally reported by Sony. According to the source, who wishes to remain anonymous, the PSN sustained a LOIC attack (which created a denial-of-service attack) that damaged the server. There was also a concentrated attack on the PlayStation servers holding account information. In addition, “Admin Dev accounts were breached.”

This lead to the result of “Sony then shut down the PSN and [is] currently in the process of restoring backups to new servers with new admin dev accounts.” The SCEE (Sony Computer Entertainment Europe) source said Japanese servers may be restored tomorrow while the U.S. and E.U. servers will likely be operational the following day.

Sony Computer Entertainment America recently confirmed that it pulled down the PSN because of an “external intrusion.” The Playstation Network and Qriocity services were pulled offline by Sony on Wednesday, April 20. Initially, hackvist group Anonymous was suspected for the attacks but the group later denied any such rumors.

Be it Anonymous or someone else, Sony should’ve been prepared for Skynet on April 21st (well considering the outage took place on the 20th of April, Sony perhaps should get some less abuses). However, if Sony can’t afford to build a contingency plan with billions of dollars in its pockets and thousands of bright minds behind it, then perhaps it truly deserves this Apocalypse. The only sad part is that tons of Gamers now have to suffer because of Sony’s inability to secure its infrastructure and have crisis management in place.