Sony 2011 Playstation Network Hack
(Rubin, 2014)
Background:
Many people around the world have access to computers. According to 2013 reports from the U.S. Census, 83.4 percent of U.S. households own computers and 73.4 percent of households reported having access to high-speed internet (“Computer and Internet Use”, 2014). Most internet users and individuals who keep up with current news have heard of the term “hacking.” Hacking is defined as “the obsessive use of computers or the unauthorized access and use of networked computer systems” (O’Brien & Marakas, 2011, p.535). Sony Corporation and their customers have had plenty of experience the chaos that that these unauthorized users can inflict.
What Happened?
In 2011, Sony experienced a very challenging year. Throughout a four month period, the company experienced six data breaches which dates back to a decision they made the previous year. In 2010, Sony removed the ability to install third-party operating systems on their PlayStation 3 (PS3) consoles; however, by January 2011, hacker George Hotz was able to jailbreak the system and posted online instructions for others to follow (IGN, 2011). Within two weeks, Mr. Hotz and others were sued by Sony for circumventing the PS3 security system. By early April, the Sony drama caught the attention of hacker group Anonymous. Anonymous launched #OpSony in retaliation of the lawsuit against Mr. Hotz (Takashi, 2011). By April 11, the Hotz lawsuit was settled, and Hotz removed his website and the jailbreak information. Anonymous was not satisfied and with the settlement and continued their pursuit of Sony.
(“Largest Data Breaches of All Time”, n.d.)
On April 16 and April 17th hackers compromised the PlayStation Network (PSN) and Sony Online Entertainment which exposed personal details, account information, and European Credit and Debit Card numbers (IGN 2011). PSN is an online network created by Sony where users have access to online gaming, music, television and movie streaming services through their PS3 gaming consoles. Sony first became aware of the breach on April 19th, at that point they launched an investigation to discover what the security breach entailed. Sony shut down the network on April 20th in order to prevent any additional data from being stolen while they tried to repair the network. With the help of third party computer security and consulting firms, Sony was finally able to restore the PSN after 24 days of being shut down. (Takahashi, 2011) During this breach hackers gained access to 77 million users names, addresses, logins, birthdates, and email addresses of PSN users making it one of the biggest privacy breaches of all time. It is also believed that vulnerabilities exposed during this breach lead to later attacks including the attack on Sony Online Entertainment (SOE) network. (Stuart & Arthur, 2011) During this attack, the personal account information of 25 million SOE users was stolen along with possibly over 12 thousand credit and debit card numbers. (Ogg, 2011) There are many people that believe it was Sony's lack of security safeguards that made this breach possible and claimed it could have easily been prevented. (Stuart & Arthur, 2011) Sony also received a great deal of criticism for how long it took them to make the public aware of the attack. Although Sony became aware of the breach on April 19th, they did not admit the breach to the public until April 26th; originally Sony claimed the network outage was simply due to technical issues. (IGN, 2011) The following video illustrates what prompted the initial attack on the Sony Playstation Network.
Why Did Sony Wait?
Sony received a great deal of public criticism as a result of these breaches, not just the flaws in their security systems, but also in how Sony initially reacted and subsequently handled the situation. One of the main questions from users was why Sony did not make them aware of the breach until a full week after it was discovered. This delay put users at further risk by providing hackers with time to use the stolen personal information and credit card numbers for identity theft or fraud. If Sony had notified these users as soon as the attack was discovered, these consumers could have canceled these credit cards or taken other measures to prevent hackers from exploiting their personal information. Sony later released a statement claiming that the reason for the delay in revealing the breach to the public was due to "a difference in timing between when we identified there was an intrusion and when we learned consumers' data being compromised." Sony claimed that once the breach was discovered, it took several days of analysis by outside experts before they were able to determine that customer's data had been stolen. (Stuart & Arthur, 2011) Many argue that even though Sony was not initially sure that user data had been stolen, that the company still had an ethical responsibility to inform customers that their personal data may be at risk. There are others that believe Sony's neglect for their user's privacy went beyond an ethical responsibility and was actually a violation of internet privacy laws. Privacy laws are regulations many countries have put in place to help enforce the privacy of computer files and communications.(O’Brien & Marakas, 2011) In the weeks following the breach, Sony was investigated by several governments for these privacy law violations. Customers from the United States filed a class-action lawsuit against Sony claiming that the company was negligent pertaining to the protection of personal data and failed to inform customers of the breach in a timely manner. In 2014, Sony settled with the plaintiffs in this class-action lawsuit to the tune $15 million. Sony claimed that the settlement was reached to in order to “avoid the costs associated with lengthy litigation.” (Walker, 2014) The Information Commissioner's Office in the United Kingdom later fined Sony 250,000 pounds (around $400,000) for violating the U.K.'s Data Protection Act. (Yap, 2013)
What was the fallout?
This security breach negatively affected Sony's business in a number of different ways. The of the most obvious negative effects felt by Sony was the financial loss they experienced. The company addressed the breach in a revision to their financial forecast for 2011 and estimated that it would cost the company a total of 14 billion yen (about $171 million). Among these costs were the customer support costs, the cost of the free products offered to customers as an apology from Sony for the breach, the legal costs of the various lawsuits Sony faced in different parts of the world, the cost to restore their networks and the costs of new security enhancements to prevent further attacks. (Sony Corporation, 2011) Another negative effect felt by Sony was in regard to their reputation. As breaches kept occurring, it continued to cause more and more customers to doubt Sony's abilities in providing them with a secure network. These consumers began to see having an account with Sony as a privacy risk which likely discouraged many of them from purchasing Sony products. Sony's reputation was also damaged by customers losing trust in their company because of how they handled the whole situation. Not only did Sony know about the vulnerability and fail to correct it, but they also kept the breach from users. (Stuart & Arthur, 2011) Many saw this as a dishonest and unethical move by Sony that completely disregarded the privacy of its customers. If customers no longer think a business is concerned about their rights and experience, those customers are not going to have trust in that business. This diminishment in Sony's reputation also has indirect financial costs from the loss of business of current customers as well as potential future customers. In the past, Sony has always had a great reputation among consumers, and that reputation helped provide them with long term sustainability over the years. The damage this security failure has caused to Sony's reputation will likely take years and cost a great deal of additional money to overcome.
Who Was Responsible?
Although hacker group Anonymous publically voiced their displeasure with Sony and threatened a boycott, within a week of the breach, the group denied responsibility for the network outage. (IGN, 2011) George Hotz also denied any involvement in the security breach. (Takashi, 2011) Sony turned to the FBI and experts in consulting and digital forensics to hunt down the individuals responsible for the security breach. (Smith, 2011) There were numerous arrests made around the globe, many of the individuals arrested had ties to the Anonymous splinter group LulzSec. On June 10, 2011, three men from Spain with ties to Anonymous were arrested in connection to the PSN Hack. (Woolls, 2011) In 2013, four British men associated with LulzSec, pleaded guilty to charges related to attacks on UK crime agencies and the CIA while also admitting their guilt in the 2011 PSN hack. (Hide, 2013) The UK men received sentences between 16 and 24 months for their various computer crimes. (Graziano, 2013) Later in 2013, a U.S. man with ties to LulzSec, Raynaldo Rivera and his colleague Cody Kretsinger, were both sentenced to 366 days in prison, followed by house arrest, 1000 hours of community service, and $605,663 each in restitutions in relation to the Sony security breach. (“LulzSec Member”, 2013)
Analysis:
It is clear that this security breach in Sony's networks was made possible by Sony's lack of commitment to maintaining the integrity of their information security system. Sony admits that the vulnerability used to gain access to these networks was a vulnerability that they already knew about and failed to fix. (Network World, 2011) The integrity of Sony's security system was already being questioned before these breaches even occurred. In January of 2011, a group of hackers known as Failoverflow announced at a conference in Berlin just how inept Sony's PSN was. They claimed that they were able to use "simple algebra" to exploit a weakness in the Playstation network in order to gain access to it. This vulnerability is thought to be the same one later used by George Hotz to jailbreak the PS3 and subsequently used to initiate the breach on Sony's PSN and SOE. (Stuart, 2011a) According to the Information Commissioner's Office in the U.K. "An ICO investigation found that the attack could have been prevented if the software had been up to date, while technical developments also meant passwords were not secure" (Yap, 2013). The reason that this personal information was not secure and easily accessed once the hackers made it past the network firewalls was because it was not encrypted. Encryption is a process that uses special algorithms to scramble data so that only authorized users can gain access to and read it. (O’Brien & Marakas, 2011) Encryption has become a very important and common means of security that even small online businesses know to use. Although Sony did keep credit card number in an encrypted file, they should have added encryption to all personal information files in order to provide added protection, especially if they were aware that there was an existing vulnerability in their security system. Another obvious problem with Sony's security system was its lack of a proper security auditing process. It is through these audits that companies are made aware of vulnerabilities so that they can correct them. Control logs, which consists of the networks programming are audited daily in order to detect any changes that may indicate a breach. If this process were being done correctly, it would not have taken Sony two days to discover the breach and they could have begun responding to it sooner. Overall, Sony definitely needed to revamp their entire information security network. This example shows just how important information security is for organizations and how disastrous it can be for those that do not have the necessary systems in place.
Works Cited:
Computer Internet Use (2014, November). United States Census Bureau. Retrieved from: http://www.census.gov/content/dam/Census/library/publications/2014/acs/acs-28.pdf
Graziano, D. (2013, May 16). LulzSec hackers sentenced for attacking Sony, News Corp and the CIA. Retrieved from: http://news.yahoo.com/lulzsec-hackers-sentenced-attacking-sony-news-corp-cia-223053837.html
Hide, N. (2013, April 9). Four UK LulzSec members plead guilty to attacking CIA, Sony. Retrieved from: http://www.cnet.com/uk/news/four-uk-lulzsec-members-plead-guilty-to-attacking-cia-sony/
IGN. (2011, May 6). PSN Hack Attack Summary. Retrieved from [video file]: https://www.youtube.com/watch?v=QVU6v53ow8k
Largest Data Breaches of All Time (n.d.). Retrieved from: http://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/
Lulzsec Member Who Helped Hack Sony Gets Prison Time. (2013, August 9). Retrieved from: http://www.dailydot.com/crime/reynaldo-rivera-sony-hack-lulzsec-prison-sentence/
Network World. (2011, May 1). Sony Apologized for PlayStation Network Attack, Outage. Retrieved from [video file]: https://www.youtube.com/watch?v=_SDCV00ErEs
O’Brien, J. & Marakas, G. (2011). Chapter 13: Security and Ethical Challenges. Management Information Systems (10 ed.). McGraw - Hill Irwin.
Ogg, E. (2011, May 3). The PlayStation Network Breach (FAQ). Retrieved from: http://www.cnet.com/news/the-playstation-network-breach-faq/
Rubin, B. (2014, August 25). Sony Says PlayStation Network Back Online. Retrieved from: http://www.cnet.com/au/news/sony-says-playstation-network-back-online/
Smith, C (2011, May 4). Sony PlayStation Network Hacker Hunt Taps Top Cyber-Sleuths. Retrieved from: http://www.huffingtonpost.com/2011/05/04/sony-playstation-network-hacker-hunt_n_857387.html
Sony Corporation. (2011, May 23). REG-Sony Corporation Media/Investor Briefings Regarding The Revision of Consolidated Results Forecast for the Fiscal Year Ended March 31, 2011. Retrieved from Reuters: http://www.reuters.com/article/2011/05/23/idUS160972+23-May-2011+BW20110523
Stuart, K. (2011a, January 7). PlayStation 3 Hack - How it Happened and What it Means. Retrieved from: http://www.theguardian.com/technology/gamesblog/2011/jan/07/playstation-3-hack-ps3
Stuart, K., & Arthur, C. (2011b, April 27). PlayStation Network Hack: Why it Took Sony Seven Days to Tell the World. Retrieved from: http://www.theguardian.com/technology/gamesblog/2011/apr/27/playstation-network-hack-sony
Takahashi, D. (2011, May 4). Chronology of the Attack on Sony's PlayStation Network. Retrieved from: http://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-playstation-network/
Walker, D. (2014, July 24). Sony to Shell Out $15M in PSN Breach Settlement. Retrieved from: http://www.scmagazine.com/sony-to-shell-out-15m-in-psn-breach-settlement/article/362720/
Woolls, D. (2011, June 10). 'Anonymous' PlayStation Hackers Arrested. Retrieved from: http://www.huffingtonpost.com/2011/06/10/spain-anonymous-hackers-arrest_n_874677.html
Yap, J. (2013, January 24). Sony Fined $395K for 2011 PlayStation Network Hack. Retrieved from: http://www.cnet.com/news/sony-fined-395k-for-2011-playstation-network-hack/
No comments:
Post a Comment