Today marks the eighth day since Sony shut down it’s PlayStation Network due to an “external intrusion.”
Late yesterday, the news surfaced that users’ personal information had been compromised during the attack. This announcement simply confirmed already existing fears that PS3 users had been talking about since the outage began. Sony was quick to assure users the there is no evidence that credit card numbers were compromised, they didn’t rule out the possibility that it had happened.
We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. If you have provided your credit card data through PlayStation Network or Qriocity, it is possible that your credit card number (excluding security code) and expiration date may also have been obtained.
The latest update on the PlayStation Blog says that the network was shut down for “forensic analysis” once the breach was discovered and that they only came clean about the information theft yesterday because they didn’t understand the scope until yesterday.
I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.
For those who were looking there’s also an FAQ with some more frequently asked questions
Thank you for your continued patience and support.
The Playstation EU blog adds this tidbit:
Update: Due to ongoing work to bring PSN back online there will be no scheduled content publish this week for PlayStation Store or PS Home. We will resume our scheduled publishing as we bring services online again.
The above link to the FAQ page provides some new info, but very little. There is still no definite timetable for when the PSN is set to go back online. Sony says that they will keep the PSN down to “verify smooth operation” when “security concerns are addressed.”
FAQ #16 mirrors a topic that has been debated thoroughly in our comments, “I Want My Money Back.” Sony says that once services are restored they will “assess the correct course of action.”
The fact that it took a whole week for Sony to announce that user info was compromised has to incense the PS3 community. The fact that that admission is the most transparent, detailed statement to come from Sony in over a week must incense them even more.