Sony’s senior executives formally apologized to its customers for the PlayStation Network breach and assured them they were rebuilding the network to prevent future incidents.
Three of Sony’s senior executives apologized to users after hackers penetrate the PlayStation Network and stead customers’ personal information.
Kazuo Hirai, the head of Sony’s video game and consumer electronics unit, and two other senior executives bowed deeply in apology for the PlayStation Network’s April 19 data breach at a press conference at the company’s Tokyo headquarters on April 30.
This is the first official comment from Sony executives since the entertainment giant revealed April 28 that hackers had compromised the PlayStation Network and Qriocity online music and video service.
“We apologize deeply for causing great unease and trouble to our users”, Hirai said at the press conference.
The PlayStation Network service is expected to be restored some time this week and Sony has fortified its network against future attacks, Hirai said. The restoration will occur in phases across various regions.
The service was shut down to prevent additional damage and it took time for the company’s team to determine what had happened. Sony was cooperating with the Federal Bureau of Investigation and other law enforcement authorities regarding the attack on Sony’s San Diego-based data center.
“The organisation has worked around the clock to bring these services back on line and are doing so only after we had verified increased levels of security across our networks,” Hirai said.
Despite complaints from gamers, Sony did the “right” thing in disabling the PlayStation Network, Jon Heimerl, director of strategic security for Solutionary, told eWEEK. After disabling the network, they “hired someone more qualified” to investigate and fix the problem and divulged what information they believe may have been compromised.
“For a -crisis mode’ incident response, we could hardly have asked for better,” Heimerl said. Sony said they are rebuilding their network with better security and asked for patience as they do this, according to Heirmerl.
While personal information belonging to 77 million users had been accessed, about 10 million of those accounts had credit card numbers attached, Sony said. The credit card information had been protected using a cryptographic hash function and the security code had not been stored. While the company was warning users of the possibility, it said there was no solid evidence that they had been stolen at all.
While United Kingdom-based Guardian claimed some PSN users were reporting they had been hit by credit card fraud, there was “no truth” to reports that a hacker was offering to sell millions of credit card numbers stolen from PSN, or that Sony had been offered the opportunity to buy them back, Patrick Seybold, Sony’s senior director of corporate communications and social media, wrote on the PlayStation blog.
The bigger concern, according to Heimerl, is the fact that 73 percent of users tend to reuse passwords across work and “play” accounts. Enterprises should be concerned about the likelihood of some of the 77 million victims work in their organization that may be using the same passwords to access company Web mail or telecommuting in to the office network.
Sony has also taken its Sony Online Entertainment service offline temporarily.
“In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately,” according to a maintenance note posted on the service’s Web site.
Hirai claimed Sony’s online services had been under attack from various sources for over six weeks. One of the attacks was tracked back to members of the hacktivist group Anonymous, who stole “personal information of Sony top management” and publicized information about their families to protest Sony’s lawsuit against Playstation 3 hacker George Hotz. Anonymous has denied being part of the PSN attack.
To regain consumer trust, Sony is offering a “Welcome Back” package, including complimentary downloads and 30 days of free service.
Heimerl suggested online users stop entering valid information into registration forms. Unless they are entering credit card information, there is no need to enter a valid mailing address just to create an account on an online service. Either use a spam-specific email account to sign up for a mailing list or register a product, Heimerl said.