Five questions for Sony about PSN breach

The company finally came clean with customers yesterday about the personal information exposed in a PlayStation Network security breach. But there's still plenty more Sony needs to answer for.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
Erica Ogg
5 min read

After a week of PlayStation users wondering why they couldn't access PlayStation Network, Sony dropped the bomb yesterday: someone had gained access illegally to the personal information of more than 75 million of its users, forcing the company to shut down PlayStation Network and rebuild it, along with the related media download service Qriocity.

Sony had issued a few brief updates late last week and over the weekend acknowledging the service's outage and then an "external intrusion," but it didn't explain the consequences until yesterday.

The information exposed includes customer names; addresses; e-mail addresses; birthdays; PlayStation Network and Qriocity passwords and usernames; as well as online user handles. Sony says there is "no evidence" that credit card information was compromised, but the company advised customers to monitor their credit cards for erroneous charges anyway.

Making matters worse for customers nervous about their personal information being in the hands of someone who shouldn't have it, the service will continue to be unavailable for at least another week. And until then users have no way of resetting their password, or deleting their credit card information. Customers are, understandably, apoplectic.

So while Sony has (finally) given us useful information about the breach, there are still some big questions the company needs to answer. Here's what we'd still like to know.

Who did this and how were they able to access our information?
It's fairly basic, but it's the question on everyone's mind. How was anyone able to worm their way inside Sony's system? Was the security that poor? And even though someone was able to get the data, were our names, birthdates, addresses, and passwords not encrypted?

In regard to who did this, Sony's statement yesterday used the singular when describing the breach as being the work of "an unauthorized person." One person was able to do a lot of damage.

The company has said it is basically rebuilding its PlayStation Network from the ground up to beef up security. Without more answers, all of this calls into question Sony's security and whether the company can be trusted with this type of information again.

Why did it take a week to inform customers their credit card information may have been exposed?
Sony has told us the company found out on April 19, a Tuesday, that someone had accessed user information on PSN. The company did not inform the 75 million registered users of PSN and Qriocity that their personal information had been exposed until April 26, the following Tuesday. Customers are understandably angry, and some are even suing.

Sony did offer this explanation late Tuesday night: When the company found out on April 19 about the hack, it hired a private security firm to do a "forensic analysis" to figure out what, if any personal data, had been stolen or exposed.

But a week is a long time. If the company was even thinking that personal information, and especially credit card information, was in the hands of someone illegally, customers would obviously want to know.

Most states have laws that require companies to notify customers when sensitive personal information has been exposed, including social security numbers and credit card numbers, which could be used for financial and identity fraud. But since Sony has said it "has no evidence" that credit card information was exposed, it doesn't appear the company has violated any state laws by waiting to tell customers.

The timing of Sony's informing its customers has also attracted the attention of Sen. Richard Blumenthal, a Connecticut Democrat who yesterday wrote a letter to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft.

Have you contacted law enforcement?
The company has so far refused to answer this question. In response to a query from CNET, Sony issued this statement: "To ensure the confidentiality and effectiveness of this investigation, we cannot discuss details at this time."

How is Sony compensating customers?
While it's free to sign up for PlayStation Network, much of the content that can be downloaded requires a separate subscription to use, and every day that customers can't access that content, they're essentially losing money for something they've prepaid for. And it's not just games.

Other examples include the Netflix app that can be downloaded from the PSN Store and used to access Netflix's Watch Instantly subscription feature; MLB.TV's $100-per-season game package, which lets users watch MLB games on a TV via the PS3; the paid version of Hulu, Hulu Plus; and more.

PSN Plus customers are also losing money, since they pay for year or several month blocks of time to access exclusive content from PSN. As of now, they are also unable to play some games they've already downloaded because PSN has to be operational to play.

What happens to files stored in PSN Plus cloud backup service?
In March, Sony introduced a new feature of PSN Plus that lets gamers store 150MB of saved game data on their PSN account. In other words, users who paid for it could back up game data already saved to their console remotely to this cloud storage service as well.

But now that Sony has shut down PSN and is "rebuilding" it, will all of that data still be there when the service is restored next week?

We'll update this story when we get more information.

Update 5:30 p.m. PT: Sony just posted some answers on its site. Here's what they said in response to some of the questions above.

  • While credit card data was encrypted, personal information of customers was not. "But (it) was, of course, behind a very sophisticated security system that was breached in a malicious attack," wrote Sony spokesman Patrick Seybold.
  • Sony says it's working with law enforcement but has yet to disclose which branch or agency.

Update 4/28 9:13 p.m. PT:In yet another update to its blog, Sony answered question No. 5 listed above. The cloud back up service PlayStation Plus will be available when PSN is restored. Friends, download histories, and trophies will also be restored, according to Seybold.

Sony also promises it will "make good" on the downtime causing customers' paid subscriptions to be unavailable, but has not specified how yet.