It all started on April 20, when the PlayStation Network went down. A post quickly went up on the official US page of PlayStation Blog which revealed nothing new except that Sony is aware of the network issue. Then, a day later another post went up wherein Sony stated that it would take them a day or two to get servers worldwide back up and running. It was only on April 22 when Sony admitted that the PlayStation Network was affected by an external intrusion and that they had pulled the plug on the online services ( which includes Qriocity ) on the evening of April 20 – the day when the first blog post went up regarding the infamous attack. Another day passed, and on April 23, Sony stated that their employees were working around the clock to “re-build” the infrastructure.
Fast-forward a few days until April 28 and Sony has gradually admitted the facts about the attack:
Between April 17 and April 19, Sony discovered that the user account information of certain users was compromised. In response to which, Sony completely turned off their network services; engaged an experienced security firm to conduct thorough investigations and took immediate steps to rebuild their infrastructure ( which was actually underway since April 23 ).
The external intrusion led to the compromise of sensitive private data of users worldwide such as: name, address, country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. Sony also stated that it is possible that the intruder(s) could have obtained data relating to users’ purchase history and billing addresses in addition to PlayStation Network/Qriocity password security answers. Quite disappointingly, Sony added that they did not rule out the possibility of users having their credit card info compromised.
Apart from the aforementioned security firm that Sony is roping in, it seems that Sony is also taking the help of law enforcement as the external attack is a criminal act and also because Sony is ( understandably ) quite keen on finding the culprits.
Credit card data of users was encrypted, but not the personal data. Although, access to all user data was physically restricted and digitally protected.
Sony started sending out emails to all 77 million registered users regarding the attack since April 26 and anticipates every user to have been notified by April 28.
- Sony – as a protective measure – is completely shifting their network infrastructure to a new and secure location.
- Sony is expecting all services to be up and running worldwide by May 3.