The Two Year Anniversary Of The PSN Hack

On the 21st of April, 2011, the PlayStation Network went down. “Nobody knows why yet,” we said of that fateful morning. “Once we get an update, we’ll let you know what’s going on.” That update, as you’ll remember, took days and weeks to fully materialise into the complete truth, and when it did, Sony’s previously bulletproof network was in pieces.

The end result was a £250,000 fine. But that was this year, and back in 2011, when nobody knew what was going on, any kind of resolution was a long way off: ICO’s involvement, free games, the ability to log back in – all out of reach, and it would take three weeks before the network was back up to something like operational.

Of course, at the time, we made light of the situation. The second day of the downtime brought nothing but mild amusement from us, but the story made the BBC within 24 hours, citing Sony as saying the issue was due to an “external intrusion” which turned into a “sustained LOIC attack on the PSN Store” and – something that would end up being crucial – “a concentrated attack on PS servers holding account info.”

That attack on the servers holding account info would – quite quickly – turn into a PR nightmare for a company holding so much data. Reuters called it “the biggest Internet security break-in ever”.

By the 25th Sony couldn’t confirm whether user data had been compromised, and then on the 26th everyone’s worse fears came to fruition – potentially, the hackers had everything. 337 comments on TheSixthAxis’ late night post showed people cared, and the statement that “user account information was compromised in connection with an illegal and unauthorized intrusion into our network” was scary.

Data seemingly out in the open included, ad verbatim, “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID” with Sony saying that it was also possible that “profile data, including purchase history and billing address, and your PlayStation Network/Qriocity password security answers” may also have been obtained.

Information that could, as Sony would acknowledge, be used elsewhere. Security questions and answers especially, but with all that information Sony had little choice other than to offer up identity theft protection. It wasn’t made a big deal (for obvious reasons) but this couldn’t be something to totally sweep under the rug. And despite assurances that key information was encrypted, anecdotal evidence still floats around that some users fell victim to credit card fraud.

In May Sony said that “there is no confirmed evidence any credit card or personal information has been misused.”

The first lawsuit was filed on the 27th, with Sony’s share prices diving a day later. The estimated cost to the platform holder, at that point, was a cool $1.5 billion, but let’s not forget the developers and publishers whose games couldn’t be sold online and, in the midst of current discussion about an ‘always-on’ next generation, games that wouldn’t even boot without the network being live.

By the 15th of May, things started to tick back into life, and Sony’s “Welcome Back” package – a smattering of free games to download – was both a smart PR move and what appeared to be a genuine desire to apologise to its customer base.

It’s worth remembering that at this point PlayStation Plus didn’t have an Instant Game Collection – that would happen a year later – so the games were mostly well received by loyal fans. The idea, of course, was to make Sony the good guys.

And yet, in June, another of Sony’s other sites fell victim to a “simple” SQL injection, resulting in the potential loss of another 1,000,000 chunks of user data including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. This was in the middle of reports that Sony had laid off some of its security staff just before the main PSN hack occured, leading some to suggest it was all the fault of disgruntled ex-employees rather than anyone outside of the company.

According to US site CNet, however, it was LulzSec behind the intrusion. Last week four members of the group pleaded guilty to the hack of 70 million PSN accounts, resulting in three weeks of complete downtime for the network and a direct cost to Sony of an estimated $170 million.

Looking back to the events two years ago might feel like a distant memory, but the results can still be felt 24 months later: Sony’s PlayStation Plus service and its general approach to regional parity carry echoes of a company still trying to do the right thing, an extended charm offensive that is by all accounts paying off well. Trust and confidence was at an all time low in the summer of 2011, but in 2013, on the cusp of a new generation, it’s hard to find regular fault with SCE.

Of course, Sony’s updated terms and conditions – those that say users can’t file claims about the company – are still frowned upon.

No company is perfect, and anyone thinking that the bottom line isn’t about revenue is wrong, but this feels something like a changed Sony, an organisation seemingly doing its best to provide what its customers (and developers) want, and – for the most part – staying on the right side of those 70 million precious accounts. Whether that’s just coherent, constant good PR or a genuine shift is for another blog entirely.

Hopefully nothing like this ever happens again for Sony.