About a month ago, the PlayStation Network was attacked by a group of hackers for Sony Online Entertainment's handling of what the company perceived was a breach of end-user agreement. In short, a creative individual broke down security protocols on the PlayStation 3 console system that allowed others to alter code and download some free content. Sony determined who the user was that was responsible for the "jailbreak" of the system, and banned the user. A group of hackers, outraged by the action, broke into the PlayStation Network—which is essentially the hub for all online interactions with the PS3 console—and disabled it.
Sony resolved the issue. At least it thought it had. The original hackers disavowed the second attack, which put the PSN offline, and compromised 24.6 million accounts. Varying reports indicated that user names, email addresses, passwords and even some credit card information may have been taken in the most recent attack. And it only got worse. Earlier this week, SOE was forced to take all its online game elements, from its massively multiplayer online games to its Facebook games, offline.
On May 5, the House Energy and Commerce Committee conducted a hearing. Sony CEO and executive vice president Kazuo Hirai refused to testify. Gene Spafford, head of the U.S. Public Policy Council for the Association for Computing Machinery did testify and stated that Sony was aware of the security holes in the PSN and made little effort to plug the gaps. A story by TG Daily, citing a Bloomberg report, stated that the New York attorney general had subpoenaed Sony over not only its inability to secure the network from attacks but also for misrepresenting the serious nature of the attacks to its customers.
Class-action lawsuits are in the works, including one from a law firm in Toronto, Ontario, Canada, that is seeking $1.05 billion. Sony has hired outside security experts to plug the holes, but the service remains down, and credit information is in jeopardy. CNET has reported that those responsible for latest hack of the system and for stealing the information have stated there would be a "third major attack" against Sony this weekend, and that "all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers and addresses," may be released. The FBI, the Department of Justice, Congress and data security and privacy authorities in the U.K., Canada and Taiwan are all involved in the investigation of not only the hackers, but Sony as well.
This is bad stuff, but everything is not always as it seems.
Sony may not be a victim, but rather—if it knew of the security issues and did nothing—it may have been an unwitting participant in a crime where the real victims are the gamers who placed their trust in that security, that turned to it and paid for the entertainment offered and that could have their credit cards and information compromised. Canceling accounts, at this point, will do no good. The information is already in the Sony database and if they can't ward off the attack, or if the data was already pilfered, anyone that used a credit card to pay for services may be at risk. (Word of warning to SOE users: Keep a close eye on your card accounts.)
There is no immediate word on when services might be restored but at what point does that become moot? Can Sony recover from this? Maybe. Does it deserve to recover? That will be something for its former and remaining customers to decide.