The Play by Play On Sony’s Massive Data Breach


By Ian Sherr and Nick Wingfield

On a Tuesday afternoon last month, engineers working for Sony Corp. were baffled when several servers running the company’s PlayStation Network suddenly turned themselves off and then back on.

At the time, the unexpected rebooting seemed like an odd malfunction. The next day, however, the engineers found the first evidence that an intruder had penetrated Sony’s systems, prompting the Japanese company to take what it calls “the almost unprecedented step” of shutting down the popular online gaming network.

Sony Chief Executive Howard Stringer issued a public apology this week for what the company later disclosed was a data breach that compromised more than 100 million user accounts on three public networks, and a delay in informing users of the theft. Sony says the loss included users’ names, birthdates and passwords. It also hasn’t ruled out the loss of credit card numbers associated with the Sony PlayStation network.

Some analysts believe the incident, which has drawn the attention of authorities around the world, will cost the company more than $1 billion for measures that include new security and a $1 million insurance policy for any victims of identity theft. The company hasn’t provided its own estimate of the cost. It also hasn’t resumed operating the network, but has said it is in final testing and is expected to do so within days.

“Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries,” this ranks “at the top” of data breaches to date, said Cynthia Larose, an attorney specializing in privacy matters with Mintz Levin in Boston.

PlayStation Network, which is accessed by owners of Sony game consoles, uses 130 server systems, 50 software programs and has 77 million user accounts, according to a letter that Kazuo Hirai, president and group chief executive of Sony Computer Entertainment Inc., sent Wednesday to a U.S. congressional committee. That letter, and a similar account included in a letter Friday to Sen. Richard Blumenthal (D., Conn.) provide the most detailed accounts of the incident.


To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)


(Published May 7, 2011, in The Wall Street Journal.)

Sony Brings In High-Tech Sleuths


By Ian Sherr

New details emerged about Sony Corp.’s investigation into one of the biggest data breaches in history, as the company attempts to piece together who stole personal information from more than 100 million accounts on its online game networks.

At least some of the attacks came from a Malaysia-based server, a person familiar with the matter said, though it wasn’t clear if any of the hacking was actually done from there, or whether only the server there was used.

On Tuesday, a U.S. spokesman for Sony confirmed some of the companies helping to investigate the breach and secure its network against further intrusions. The security firms named are Protiviti Inc., Guidance Software Inc. and Data Forté Corp., which specialize variously in forensic computer investigations and security consulting.

The company has also retained the services of the law firm Baker & McKenzie in connection with the matter. Representatives of the law firm and two of the security firms didn’t respond to requests for comment. Guidance Software declined to comment.

Political pressure on Sony for a more complete accounting of its handling of the data breach has been increasing. Sen. Richard Blumenthal (D., Conn.) on Tuesday sent a letter to Sony executives saying he is “deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised.”


To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)


(Published May 4, 2011, in The Wall Street Journal.)