The Sony PlayStation Hack [Infographic]

Are your credit card details safe?

Last updated:

Gamers were left puzzled on April 20 when the PlayStation Network went down, cutting off access to the store and a host of other services, including the media portal Qriocity. At almost two weeks and counting, the outage is the longest in the network's four-and-a-half-year history. But as it turns out, the threat to players is graver than an interruption to their spring-break gaming: they'd just been subject to one of the greatest security breaches in recent Internet memory.

The day after the shutdown, Sony acknowledged the issue, saying they were investigating the cause of the problem and that restoration may take a day or two. The reason was only alluded to not explicitly announced two days later, when officials admitted the network's security had been breached. The "external intrusion," as they called it, occurred sometime between April 17 and 19.

Little happened in the next few days, except for a few hasty announcements. On April 23, Sony apologised again and said they were rebuilding the system and strengthening its network infrastructure; two days later, Patrick Seybold, Senior Director of Corporate Communications and Social Media, blogged that he didn't have much in the way of updates just that the process was "time-intensive." No mention was made of the intrusion.

Sony Playstation Network Hack - Infographic

Like this infographic? You can embed it on your blog or website!

Embed this infographic in your website by copying and pasting the code below into your source code

Sony finally confirmed the worst on April 26, nearly a week after the shutdown. After reiterating its previous statements, it admitted, via its Verified Corporate Twitter feed, that the intrusion had compromised users' personal information, including credit card data. Members were promptly advised to monitor their accounts for suspicious activity and have their credit cards blocked for good measure.

On May 2, the company admitted they'd got the numbers wrong about 25 million more users were affected than previously thought, according to a Reuters report. A second attack also resulted in the theft of over 10,000 direct debit records from all over Europe, over 12,000 credit and debit card numbers from non-U.S. users, and an outdated database dating back to 2007, forcing Sony to take down the Sony Online Entertainment service.

Sony on the spot

Sony has understandably taken a beating from the incident. One could argue that their response was timely; they did turn off the network and its services as soon as the problem was detected. In an email to users on April 28, published by Gamers Hub, they detailed the steps they were taking to protect consumers. They included, among other things, hiring a third-party security firm to carry out a thorough investigation and rebuilding the system to "enhance security and strengthen [their] network infrastructure."

The main question is: why did it take them so long to own up? If they were so quick to act on it, why did they wait nine days to tell users their credit card information had been stolen?

Seybold answered some of the questions on the U.S. PlayStation blog. According to him, they learned of the intrusion and of the data theft at different times: they identified the former on the 19th and promptly shut services down, and had to conduct forensic analysis over several days to find out its scope. About a week later, their experts reported that credit card information had been stolen, after which they made the public announcement.

Gamasutra, a gaming blog, is one of many parties that aren't buying it. Editor Chris Morris believes Sony has long had problems with public communication. In an article about the alleged discontinuation of the PSP Go which also mentions the hack, he compares Sony to "an ostrich with its head in the sand," avoiding questions with motherhood statements and providing answers that are ambiguous.

Users added that if the breach were serious enough to require a complete shutdown on the 20th, Sony should have considered the possibility of data theft and alerted users right away, according to a report by UK website PC Pro. This would have allowed them to take preventive measures immediately, instead of leaving them vulnerable for six whole days.

As it happens, the first acknowledgment of the incident made no reference to a security breach, saying instead that the system was "undergoing maintenance." The first clue that the network had been hacked didn't come out until two days later, and for many, that's two days too many. In a letter to Sony representatives, Connecticut Senator Richard Blumenthal said it was troubling that they held back the details of the attack for so long.

Another question worth asking is how it happened. Unlike the delayed announcement issue, this one is clearly Sony's fault, as most experts agree. Carole Thierault of Sophos, a security software developer, says the whole point of data security is to protect your network from external attacks those perpetrated by parties outside the company and that's exactly what Sony allowed to happen. The fact that some of the data (luckily, not the credit card numbers) were unencrypted also shows lack of vigilance on Sony's part, according to Benjamin Cohen of Channel 4 News Technology.

Conspiracy theories

The question of who perpetrated the breach was nowhere near as significant, but it has generated some buzz of its own. To date, no one knows although conspiracy theories have turned up to no one's surprise. Initial speculations pointed to Anonymous, a group of online vigilantes who had previously slammed Sony for taking legal action against George Hotz, a 21-year-old who had cracked the PlayStation's software so that it could run unauthorised programs. Many think that the breach was Anonymous's way of teaching Sony a lesson.

In online forums, gamers are putting forward their own theories. Certain members on think that Sony is using the Anonymous excuse to its advantage, covering up the fact that the breach was in fact the result of its own shortcomings. After all, they say, it's easier than owning up to their fault, and it channels the hate mostly of those looking forward to some gaming over the Easter break away from them and towards Anonymous.

Sony has denied that the "hacktivists" had anything to do with the attack, although at the time of the May 1st interview they haven't come up with an alternative. In a press conference in Tokyo, as reported by PC World, Games Division CEO Kaz Hirai admitted that while they had been attacked by Anonymous a few weeks before, they found no link between the group and the breach in question. Anonymous themselves posted a blog denying any involvement, although they didn't rule out the fact that some of their members may have acted individually.

The bigger picture

In terms of users affected, the Sony PlayStation breach far outpaces the 2007 attack on the department store chain TJX, where some 45 million accounts were compromised. Canada's CBC News ranks it one of the top five security breaches* of all time. Investigations have been conducted, accusations fired, lawsuits filed. But the important questions why and how it happened, what users should do, whether it could have been prevented and how remain unanswered. What do these events mean for Sony, its users, and the business of online security?

No clear reason has been given for the breach and how it happened. And if Sony takes a cue from other who have faced similar situations, it will only speak if pressured in court. That day may come soon enough: the UK's Information Commissioner's Office, Canada's Privacy Commissioner Jennifer Stoddart, and Senator Blumenthal have all announced intentions to question the company and conduct investigations. U.S. Representatives Mary Bono Mack and G.K. Butterfield have sent a letter to Sony demanding information on the breach's discovery and how it plans to deal with the crisis.

While we're waiting for answers, speculations abound. The Daily Telegraph highlights the fact that any system linked to the Web is prone to data theft. And with a 77-million-strong customer base and just as much credit card information up for grabs, the PlayStation Network was practically winking and waving at hackers.

Even if credit card data hadn't been stolen, password files were. And even if changing your password were all it took to patch things up, it brings to light another issue: the encryption of user data. Experts have been urging companies to do this for years, according to the Telegraph. But Sony admitted in one of its many statements that the stolen passwords were unencrypted. That's a whole new bag of questions and accusations right there.

The incident is also a major blow to cloud computing, the practice of storing and retrieving data from a central location instead of individual computers. The Sony experience, dubbed IT's "Deepwater Horizon moment" in a Eurogamer article, sheds light on the weaknesses of the system, both to users and providers. Given that many companies are just about to jump on the trend, this fiasco may have come at just the right time.

What users can do

1. Keep a look out for phishing attempts in the form of e-mail scams

In its April 28 message, Sony advised PlayStation Network users to watch out for phone, mail, and e-mail scams, particularly those that ask for personal information. They maintained that Sony would never ask for any identity information, including credit card and social security numbers and reminded users never to provide them to any third party. They also urged users to change their username and password as soon as the PlayStation Network and Qriocity services were back on, and do the same for any accounts (even unrelated ones) where they use the same username and password.

2. Keep a close eye on your credit card statement

Sony also encouraged users to check their account statements and credit reports for any unauthorised transactions. They provided contact information for Experian, TransUnion, and Equifax, the three major credit bureaus in the U.S., and said that U.S. residents can have one copy of the report for free every year. As an added measure, users can have a "fraud alert" status put on their file to watch out for suspicious activity, Sony said.

In an interview with Channel 4, Trend Micro's security research director Rik Ferguson agrees with Sony's advice, saying users should keep a close watch on their transactions. Ferguson added that e-mail passwords should be of particular concern, as they can unlock all sorts of other information linked to the e-mail address. It's like a skeleton key to all your other accounts, he said. Carole Thierault of Sophos says about 40% of internet users use the same password for every account.

3. Consider cancelling your credit card, or having a new credit card number re-issued to you

Action Fraud, the largest fraud reporting center in the UK, reminds users that keeping an eye on their account activity is their standard obligation, with or without the threat of fraud. Events like the Sony PlayStation hack merely serve as a reminder to be more vigilant. Others suggest taking it a step further and cancelling the card altogether.

4. Change your "secret answer" information for retrieving passwords

Graham Cluley, a developer at Sophos, highlights another piece of information that may have been stolen: secret answers for password retrieval. If hackers have this information, they can easily retrieve your new password after you've changed it. If your credit card issuer has the same feature, it's all the more reason to change. Play it extra safe and don't set a question that's traceable, such as your mother's maiden name or the last four digits of your phone number. Choose something that they won't find online, such as your first pet's name.

Lessons learned

The Sony incident will go down in history as one of the gaming world's biggest fiascoes. That much we're sure of. On the bright side, if we can call it that, online consumers and providers can learn a few new lessons, and perhaps relearn forgotten ones, in the world of security and public trust. eWeek, an IT business magazine, sums it up in ten points:

  1. Big names can't always be trusted - Sony was a pioneer in technology, but it proved just as vulnerable to attacks as your average company.
  2. Not all information should be shared - Too many companies, Sony included, ask for information they don't really need. Optional fields are left blank.
  3. Sometimes it's out of your hands - Sony's breach proves that even the most vigilant users can be harmed through no fault of their own.
  4. There's no comfort zone - It's when you fall into a sense of security ("Nothing's happened so far, anyway") that you're most vulnerable to data theft.
  5. Sometimes, offline is better - The offline world has its share of security issues, but on the whole they are more manageable. If there's an offline alternative to sharing information, it may be worth a try.
  6. Vigilance is key - Even without the threat of identity theft, consumers have a basic responsibility to monitor their accounts.
  7. Cloud computing makes for a scary future - After the Sony fiasco, will users still be comfortable putting so much of their professional and personal information online?
  8. Your antivirus isn't enough - Bolster your online arsenal with web-security software. These programs encrypt all communication from your computer, so that anything that's stolen will be useless to the thief.
  9. Threats to your financial identity can exist anywhere - Playing a game of Portal 2 may be the last place you'd expect criminals to lurk, what with bank and government sites carrying much more sensitive information. But as it turns out, hackers don't discriminate.
  10. Exposure must be minimised - The fewer the sites you give your information to, the better.

Important Links and Information for Australians concerned about the security of their financial identity

Back to top

Related Posts

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.

3 Responses

  1. Default Gravatar
    NavinMay 25, 2011

    That was awesome how can i dislike.
    Thank you for this awesome post.

  2. Default Gravatar
    NavinMay 24, 2011

    nice share :) keep it uP

    • Avatarfinder Customer Care
      JeremyMay 24, 2011Staff

      Thanks Navin – glad you like it!

Credit Cards Comparison

Updated January 27th, 2020
Name Product Purchase rate (p.a.) Balance transfer rate Annual fee
HSBC Platinum Credit Card - Balance Transfer Offer
19.99% p.a.
0% p.a. for 22 months
$129 p.a.
Enjoy a balance transfer offer, yearly annual fee refund, airport lounge passes and complimentary insurance covers.
St.George Vertigo Classic
13.99% p.a.
0% p.a. for 18 months
$55 p.a.
Get 0% p.a. interest for up to 18 months on balance transfers with no balance transfer fee. Plus, a low annual fee and purchase rate.

Compare up to 4 providers

* The credit card offers compared on this page are chosen from a range of credit cards has access to track details from and is not representative of all the products available in the market. Products are displayed in no particular order or ranking. The use of terms 'Best' and 'Top' are not product ratings and are subject to our disclaimer. You should consider seeking independent financial advice and consider your own personal financial circumstances when comparing cards.

Ask a question
Go to site