The Play by Play On Sony’s Massive Data Breach

Originally published May 7, 2011

By Ian Sherr and Nick Wingfield

On a Tuesday afternoon last month, engineers working for Sony Corp. were baffled when several servers running the company’s PlayStation Network suddenly turned themselves off and then back on.

At the time, the unexpected rebooting seemed like an odd malfunction. The next day, however, the engineers found the first evidence that an intruder had penetrated Sony’s systems, prompting the Japanese company to take what it calls “the almost unprecedented step” of shutting down the popular online gaming network.

Sony Chief Executive Howard Stringer issued a public apology this week for what the company later disclosed was a data breach that compromised more than 100 million user accounts on three public networks, and a delay in informing users of the theft. Sony says the loss included users’ names, birthdates and passwords. It also hasn’t ruled out the loss of credit card numbers associated with the Sony PlayStation network.

Some analysts believe the incident, which has drawn the attention of authorities around the world, will cost the company more than $1 billion for measures that include new security and a $1 million insurance policy for any victims of identity theft. The company hasn’t provided its own estimate of the cost. It also hasn’t resumed operating the network, but has said it is in final testing and is expected to do so within days.

“Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries,” this ranks “at the top” of data breaches to date, said Cynthia Larose, an attorney specializing in privacy matters with Mintz Levin in Boston.

PlayStation Network, which is accessed by owners of Sony game consoles, uses 130 server systems, 50 software programs and has 77 million user accounts, according to a letter that Kazuo Hirai, president and group chief executive of Sony Computer Entertainment Inc., sent Wednesday to a U.S. congressional committee. That letter, and a similar account included in a letter Friday to Sen. Richard Blumenthal (D., Conn.) provide the most detailed accounts of the incident.


To read the rest of the story, either contact me directly or read more online at the WSJ: here. (subscription required)


(Published May 7, 2011, in The Wall Street Journal.)