In a news conference held over the weekend, electronics giant Sony issued an apology for the recent data breach of its PlayStation network, in which hackers gained access to personal data related to the service’s more than 77 million users. Along with the apology, the company for the first time offered some significant detail into the nature of the attack that has crippled its service for more than 10 days now.
On April 20, the company took the PlayStation Network offline, revealing a few days later that the PSN Outage was self-imposed following an intrusion. The company said it was rebuilding systems to ensure that they would be secure when brought back online.
Several days later, Sony revealed that customer data, for almost 78 million users, had been compromised. At the time, the company could not say for certain whether credit card data had been exposed. The company later said that credit card data had been encrypted, but that usernames and other information had not.
While the PlayStation outage is not a hosting story per se, it is a vivid illustration of the importance of data security to delivering a hosted subscription service. The data breach was one of the largest ever, in terms of the number of customers affected, and while the PlayStation network is a mostly-free service, its lengthy outage has also delivered a significant hit to Sony’s brand, judging by the outrage populating many of the blogs and comments sections relating to the incident.
On Sunday, Kaz Hirai, head of the company’s gaming division, offered a timeline for the services’ return, beginning later this week. Online gaming, and access to unexpired movie rentals will be the first services to return to PSN, while users of the Qriocity streaming media service will be able to access Music on Demand. Other functions will return closer to mid-May.
According to a Monday report by Data Center Knowledge, Sony’s plans for rebuilding and relaunching the service include moving the infrastructure to a new data center. The company has reportedly accelerated pre-existing plans to move the system to a new data center in a different location. The services were previously hosted in facilities operated by AT&T’s game hosting unit.
“We’d like to extend our apologies to the many PlayStation Network and Qriocity users who we worried,” said Hirai, quoted in a story appearing in Computerworld. “We potentially compromised their customer data. We offer our sincerest apologies.”
According to Computerworld, Sony’s chief information officer Shinji Hasejima detailed the investigation into the initial attack. The company was alerted to unusual network activity, and over the course of a day, discovered the attack and took the service offline, hiring first one, then another specialized network security company to investigate.
The company also says it is working with the FBI, which has launched an investigation into the attack.
While Sony does not yet have a complete picture of the breach, it said it was launched from an application server that sat behind a web server and two firewalls on Sony’s network, and it involved software designed to access customer data. The company says there is a high likelihood that personal information was taken, including names, addresses, birthdates, email address, login names and encrypted passwords.
While 10 million PSN accounts have credit card information attached, Sony says it has not yet uncovered evidence that credit card information was compromised. It was stored in an encrypted database. The company has already advised customers to watch for unusual information. Hirai reportedly said the company will pay the cost of reissuing credit cards on customer request.
For some users – many of whom have been vocal in their disappointment – the apology will be too little, too late. The company has obvious competition in the gaming console space, particularly Microsoft’s XBox.