I don't know heck how secure the Sony systems were. But I find it remarkable that almost everyone is just angry at Sony and none against the criminals who did this. I'd suppose there is no system that is 100% safe. Just saying.
We are angry at Sony and SOE, because they stored our Account and Personal information UNSECURED in databases!
Not to mention they kept an UNSECURED database ONLINE with people's account, personal and credit information!! Outdated or not!
There is absolutely no excuse for this! A company that receives millions of dollars a month alone via subscription fees and Cash Shop purchases!
People underestimate the danger of their Login name (station account name) being stolen! Especially since many many people use this same Login name / account name for many online services. Passwords can be changed, but login names / account names cannot!
This will have severe concequences and is going to cause a lot of misery for people affected!
I sincerely hope John Smedly will finally be booted from the company! He has been laying off many people these past years due to his incompetence to run the company.
It is now his time to take responsibility for this FIASCO and leave the company! Any CEO would have been fired long ago already. That he is still at the helm is a down right insult! This is really the last straw!
How do you know they were unsecured? I assume they were secured, but security was broken?
Unencrypted! I should have worded it better. I am just pissed off all our personal information, account information and possible credit card information (latter being outdated or not) is lying open on the street!
Especially since it happened a week ago and it them first saying last week everything is fine and peachy... and now a whole week later suddenly saying it is not!
And who says their so called secured seperate recent financial / credit card database environment hasn't been hacked and stolen either?
No one is going to believe SOE now! Not when they first said last week that nothing was stolen! So who says they are telling us everything right now?
They pretty much lost all their credibility right now as a company!
Again, how do you know this? I mean, it would be scandalous no doubt. But how do you know Sony did not take the same security measures as any other company? I mean, it is bad, yes. But no company or goverment as far as I know was ever 100% secure. There sure is enough reason to question Sony's handling of the information. But where do you get the info that Sony had any less security measures than any other company? I just think with enough criminal energy and knowledge a person could crack any security, encryption or hack into any computer. I mean, even FBI or CIA were hacked once and then.
Where is the outcry against the criminals? Just for the cases of justice: Sony here is the victim just the same as we!
People don't ask questions to get answers - they ask questions to show how smart they are. - Dogbert
I don't know heck how secure the Sony systems were. But I find it remarkable that almost everyone is just angry at Sony and none against the criminals who did this. I'd suppose there is no system that is 100% safe. Just saying.
We are angry at Sony and SOE, because they stored our Account and Personal information UNSECURED in databases!
Not to mention they kept an UNSECURED database ONLINE with people's account, personal and credit information!! Outdated or not!
There is absolutely no excuse for this! A company that receives millions of dollars a month alone via subscription fees and Cash Shop purchases!
People underestimate the danger of their Login name (station account name) being stolen! Especially since many many people use this same Login name / account name for many online services. Passwords can be changed, but login names / account names cannot!
This will have severe concequences and is going to cause a lot of misery for people affected!
I sincerely hope John Smedly will finally be booted from the company! He has been laying off many people these past years due to his incompetence to run the company.
It is now his time to take responsibility for this FIASCO and leave the company! Any CEO would have been fired long ago already. That he is still at the helm is a down right insult! This is really the last straw!
How do you know they were unsecured? I assume they were secured, but security was broken?
Unencrypted! I should have worded it better. I am just pissed off all our personal information, account information and possible credit card information (latter being outdated or not) is lying open on the street!
Especially since it happened a week ago and it them first saying last week everything is fine and peachy... and now a whole week later suddenly saying it is not!
And who says their so called secured seperate recent financial / credit card database environment hasn't been hacked and stolen either?
No one is going to believe SOE now! Not when they first said last week that nothing was stolen! So who says they are telling us everything right now?
They pretty much lost all their credibility right now as a company!
Again, how do you know this? I mean, it would be scandalous no doubt. But how do you know Sony did not take the same security measures as any other company? I mean, it is bad, yes. But no company or goverment as far as I know was ever 100% secure. There sure is enough reason to question Sony's handling of the information. But where do you get the info that Sony had any less security measures than any other company? I just think with enough criminal energy and knowledge a person could crack any security, encryption or hack into any computer. I mean, even FBI or CIA were hacked once and then.
Where is the outcry against the criminals? Just for the cases of justice: Sony here is the victim just the same as we!
Are you for real? Re-read the press release from BOTH Sony and SOE, including their security updates!
Then go to that law firm's website (I posted that earlier in this same topic) and read the contents of the Class Action Lawsuit against Sony (and now most probably also SOE).
I feel the same way. I've been an SoE customer for almost 11 years, and this will not stop me from playing any of their titles, or from trusting them with my information. If people really cared that much about security with their personal info, why not try paying for subs with game cards bought in retail stores or use paypal accounts to do it. I was a server in a well known restaraunt chain for a long time, you do realize that when you hand your card over to pay your bill that they have access to all of your information right, and if you are in a smaller communtiy they most likely know or can find out birthdate/address/email and everything else. I just love how JK is on here raging all about SoE not taking care of our information when they are most likely not affected by this in anyway.
I don't know heck how secure the Sony systems were. But I find it remarkable that almost everyone is just angry at Sony and none against the criminals who did this. I'd suppose there is no system that is 100% safe. Just saying.
We are angry at Sony and SOE, because they stored our Account and Personal information UNSECURED in databases!
Not to mention they kept an UNSECURED database ONLINE with people's account, personal and credit information!! Outdated or not!
There is absolutely no excuse for this! A company that receives millions of dollars a month alone via subscription fees and Cash Shop purchases!
People underestimate the danger of their Login name (station account name) being stolen! Especially since many many people use this same Login name / account name for many online services. Passwords can be changed, but login names / account names cannot!
This will have severe concequences and is going to cause a lot of misery for people affected!
I sincerely hope John Smedly will finally be booted from the company! He has been laying off many people these past years due to his incompetence to run the company.
It is now his time to take responsibility for this FIASCO and leave the company! Any CEO would have been fired long ago already. That he is still at the helm is a down right insult! This is really the last straw!
How do you know they were unsecured? I assume they were secured, but security was broken?
Unencrypted! I should have worded it better. I am just pissed off all our personal information, account information and possible credit card information (latter being outdated or not) is lying open on the street!
Especially since it happened a week ago and it them first saying last week everything is fine and peachy... and now a whole week later suddenly saying it is not!
And who says their so called secured seperate recent financial / credit card database environment hasn't been hacked and stolen either?
No one is going to believe SOE now! Not when they first said last week that nothing was stolen! So who says they are telling us everything right now?
They pretty much lost all their credibility right now as a company!
Again, how do you know this? I mean, it would be scandalous no doubt. But how do you know Sony did not take the same security measures as any other company? I mean, it is bad, yes. But no company or goverment as far as I know was ever 100% secure. There sure is enough reason to question Sony's handling of the information. But where do you get the info that Sony had any less security measures than any other company? I just think with enough criminal energy and knowledge a person could crack any security, encryption or hack into any computer. I mean, even FBI or CIA were hacked once and then.
Where is the outcry against the criminals? Just for the cases of justice: Sony here is the victim just the same as we!
Are you for real? Re-read the press release from BOTH Sony and SOE, including their security updates!
Then go to that law firm's website (I posted that earlier in this same topic) and read the contents of the Class Action Lawsuit against Sony (and now most probably also SOE).
Yes! it is that bad!
Last time I checked people were not guilty before the end of the trial. But maybe that changed. Who knows.
I just can't shake away the feeling people went into torch and pitchfork mode because it's Sony. If the same had happend to, say, Apple, I am sure everyone would defend the company. But Sony is a too easy target to pass, eh?
Again: Where is the rage against the criminals? Far from me be it to excuse Sony, but you guys just have priorities sort of upside down.
People don't ask questions to get answers - they ask questions to show how smart they are. - Dogbert
I feel the same way. I've been an SoE customer for almost 11 years, and this will not stop me from playing any of their titles, or from trusting them with my information. If people really cared that much about security with their personal info, why not try paying for subs with game cards bought in retail stores or use paypal accounts to do it. I was a server in a well known restaraunt chain for a long time, you do realize that when you hand your card over to pay your bill that they have access to all of your information right, and if you are in a smaller communtiy they most likely know or can find out birthdate/address/email and everything else. I just love how JK is on here raging all about SoE not taking care of our information when they are most likely not affected by this in anyway.
If you want to continue defend them and thinking it is not SOE's fault. Fine with me. That is your choice and I respect that.
I on the other hand work in the IT for over 12 years and what has happened here is farce! A total farce!
Sure, every company can get hacked (and will be a point in time). That is just a given fact!
The point here is. That Sony and SOE are responsible for personal, account and financial information from millions of their users, who entrusted them to handle all that information with care and with proper security messures!
That they stored all that information in their databases without any form of encryption is even more criminal than the hackers who hacked their network and stole all our information!
This practically just has been a ticking time bomb all along... waiting to go off! And now it did!
AGAIN! People need to read the contents of the Class Action Lawsuit, how Sony and SOE got hacked in the first place due to using outdated software (with known security holes) and how they have been slacking in keep their systems up to date with latest security updates!
But I guess this is what you get when you keep laying off lots of (good) people in your workforce, instead of cleaning up your failing upper management!
Again: Where is the rage against the criminals? Far from me be it to excuse Sony, but you guys just have priorities sort of upside down.
People are too scared to go up against hackers & anarchists that do nothing but cause trouble and headache for everybody. j/k honestly most people just want things to go back to normal and not have to worry or deal with it anymore. That's how it is at the company I work for. Whenever there's an intrusion, reasonable clients will understand and curse at the hackers. While the rest majority of them will yell and scream about why their sites are down, why can't we have 100% secure servers, etc..
I call that ignorance more than anything as majority of the people don't really understand how things work. It's definitely not people's fault to get upset at companies getting hacked. But we live in an age where everything is going online, everything is getting hooked up to the internet. Hacks will happen more and more, often times they happen without you ever knowing, and there's nothing you can do about it.
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
So while being angry at high profile hacks like these, people are so relaxed in their every day lives. Completely oblivious to the risks they are taking every single day giving random strangers cc/driver's license/date of birth, many working at minimum wages and won't hesitate to sell your information for extra bucks.
Speaking of encryption, please understand encryption can be cracked. Hashed passwords can also be cracked if someone wants to. So when their system comes back up, make sure you change all your account passwords. Not making excuses for SOE what so ever, but some people act like this was the first gaming company that got hacked, or that this was the first time ever they had their personal information stolen. Do you get junk mail everyday? Do you get spam emails everyday? Do you get telemarketer calls? If so, then this isn't the first time your personal information got leaked.
Again: Where is the rage against the criminals? Far from me be it to excuse Sony, but you guys just have priorities sort of upside down.
People are too scared to go up against hackers & anarchists that do nothing but cause trouble and headache for everybody. j/k honestly most people just want things to go back to normal and not have to worry or deal with it anymore. That's how it is at the company I work for. Whenever there's an intrusion, reasonable clients will understand and curse at the hackers. While the rest majority of them will yell and scream about why their sites are down, why can't we have 100% secure servers, etc..
I call that ignorance more than anything as majority of the people don't really understand how things work. It's definitely not people's fault to get upset at companies getting hacked. But we live in an age where everything is going online, everything is getting hooked up to the internet. Hacks will happen more and more, often times they happen without you ever knowing, and there's nothing you can do about it.
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
So while being angry at high profile hacks like these, people are so relaxed in their every day lives. Completely oblivious to the risks they are taking every single day giving random strangers cc/driver's license/date of birth, many working at minimum wages and won't hesitate to sell your information for extra bucks.
Speaking of encryption, please understand encryption can be cracked. Hashed passwords can also be cracked if someone wants to. So when their system comes back up, make sure you change all your account passwords. Not making excuses for SOE what so ever, but some people act like this was the first gaming company that got hacked, or that this was the first time ever they had their personal information stolen.
Who in earth gives their credit card to strangers these days? Even in restaurants and stores? That is so severely outdated man. Not even funny!
All major credit cards have a chip with pincode these days and any respectable restaurant and shop has (portable) pin machines for payment!
If I end up somewhere where I would have to hand out my credit card, I won't and rather pay with cash.
I have been traveling a lot these past years and the last 4-5 years I have never had to hand out my credit card in restaurants or shops anymore.
That aside!
We are talking about a company, in this case Sony / SOE, who make billions of dollars in revenue each and every year! Billions of dollars!
Encrypting personal information of their millions of customers doesn't cost them a thing! Not a damn thing! And that is what makes me (and many others alongside me) so angry and pissed off!
Keeping your software on your sensitive systems fully up to date and patched should be standard 101 practice when you are responsible for sensitive / personal information of millions of users!
Again! Yes those hackers can go burn in hell for what they did! But so can Sony and SOE for their incompetence and total negligence when dealing with our sensitive / personal data the way they did!
And that is now why they gonna get sued with a Class Action Lawsuit!
You cant trust a word SOE says,The company has proven without a doubt that the descion makers dont care about anything but money and will say anything to protect it even at the expense of their own workers.
You all seem to be forgetting this is the same company that stole customer subs from one game to make a new one knowing full well 2+ years in advance that all the talk and promises being made about the old game was total horse crap and they knew that even the money they spent paying the devs to continue to work on the old game was just going to be deleted.All to keep the facade up as long as possable.
The company is about as corrupt and cut throat as any ganster bullying/threatening paying off ruiening carrers of good people who could in all good consicne continue to do PR for them once it became clear the accusations of the customers were true.
I personally couldnt care less what hackers do to them,and whos to say that this isnt all a line of garbage ?? maybe they got a good offer for that info and just sold their customers email/street adresses ect to some spam company and this is their cover story.
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
actually to put things into perspective for YOU, every day, an earthquake happens somewhere on the globe... cause minor damage and nobody really care about it much. but when the earthquake hit the coast of japan or indian ocean, EVERYBODY on the whole planet heard about it.
it's not the hack itself but the SCALE of the breach that matters. most people dont really think beyond their credit card being stolen, but from a macro scale, more then money is at stake. I'm sure the NSA, CIA, and pentagon is looking heavily into this matter because a breach of this scale is potentially a threat to the whole nation. to someone short sighted, they only see credit card being stolen... but if the database was to fall into the hands of al queda or someone worse, there can be a very big unforeseen problem because data is only as good as those who knows how to use them for their purpose.
i'm sure those who work in the security field can tell you what kind of nightmare these type of data can cause if fallen into the wrong hands. it's not hard to see how identity thieft on this scale can affect not just personal finance given alittle bit of social engineering by talented and sinister crackers, terrorists, or even enemy nations.
I personally couldnt care less what hackers do to them,and whos to say that this isnt all a line of garbage ?? maybe they got a good offer for that info and just sold their customers email/street adresses ect to some spam company and this is their cover story.
I couldn't really understand most of your post, however what you said in this paragraph is exactly what I thought when I first heard about what hapenned. I just have this feeling that SOE would cover up a large scale selling of names and numbers. It happens all the time if you bother to read the fine print whenever you set up some silly account with whatever website is making you register with them.
I personally couldnt care less what hackers do to them,and whos to say that this isnt all a line of garbage ?? maybe they got a good offer for that info and just sold their customers email/street adresses ect to some spam company and this is their cover story.
I couldn't really understand most of your post, however what you said in this paragraph is exactly what I thought when I first heard about what hapenned. I just have this feeling that SOE would cover up a large scale selling of names and numbers. It happens all the time if you bother to read the fine print whenever you set up some silly account with whatever website is making you register with them.
Makes you wonder how far SOE would go for a buck.
Yep and everyone with the title 'C' followed by 2 letters (CIO, CEO, CFO) will have to step down cause no shareholders board is going to let that happen.
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
actually to put things into perspective for YOU, every day, an earthquake happens somewhere on the globe... cause minor damage and nobody really care about it much. but when the earthquake hit the coast of japan or indian ocean, EVERYBODY on the whole planet heard about it.
it's not the hack itself but the SCALE of the breach that matters. most people dont really think beyond their credit card being stolen, but from a macro scale, more then money is at stake. I'm sure the NSA, CIA, and pentagon is looking heavily into this matter because a breach of this scale is potentially a threat to the whole nation. to someone short sighted, they only see credit card being stolen... but if the database was to fall into the hands of al queda or someone worse, there can be a very big unforeseen problem because data is only as good as those who knows how to use them for their purpose.
i'm sure those who work in the security field can tell you what kind of nightmare these type of data can cause if fallen into the wrong hands. it's not hard to see how identity thieft on this scale can affect not just personal finance given alittle bit of social engineering by talented and sinister crackers, terrorists, or even enemy nations.
That is what scares me the most too!
Credit cards can be blocked and a new one issued.
It's your identy (all your personal information) that has been stolen and now out in the open!
Your full name, adress details, phone number(s), email adress(es), birthdate, etc !
And you can count on it that they will sell it to criminals, terrorist organizations and spam companies who will give a jitload of money for that kind of data!
The kind and amount of information these hackers have obtained is worth of a fortune in the black market!
well, i canceled my bank card today and ordereda replacment. which i will NOT being using at SOE. If l Play there games again itll have to be through gamecards and I could only hope SOE add some sort of secondary authenticator thingy for all their games.
I understand that we can check those credit reporting agency for stolen card concerns... but what recourse do we have for identitiy theft with the leak of so much personal info.. name change lol? soe victim relocation program?
Watch your thoughts; they become words. Watch your words; they become actions. Watch your actions; they become habits. Watch your habits; they become character. Watch your character; it becomes your destiny. Lao-Tze
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
actually to put things into perspective for YOU, every day, an earthquake happens somewhere on the globe... cause minor damage and nobody really care about it much. but when the earthquake hit the coast of japan or indian ocean, EVERYBODY on the whole planet heard about it.
it's not the hack itself but the SCALE of the breach that matters. most people dont really think beyond their credit card being stolen, but from a macro scale, more then money is at stake. I'm sure the NSA, CIA, and pentagon is looking heavily into this matter because a breach of this scale is potentially a threat to the whole nation. to someone short sighted, they only see credit card being stolen... but if the database was to fall into the hands of al queda or someone worse, there can be a very big unforeseen problem because data is only as good as those who knows how to use them for their purpose.
i'm sure those who work in the security field can tell you what kind of nightmare these type of data can cause if fallen into the wrong hands. it's not hard to see how identity thieft on this scale can affect not just personal finance given alittle bit of social engineering by talented and sinister crackers, terrorists, or even enemy nations.
That is what scares me the most too!
Credit cards can be blocked and a new one issued.
It's your identy (all your personal information) that has been stolen and now out in the open!
Your full name, adress details, phone number(s), email adress(es), birthdate, etc !
And you can count on it that they will sell it to criminals, terrorist organizations and spam companies who will give a jitload of money for that kind of data!
The kind and amount of information these hackers have obtained is worth of a fortune in the black market!
I've just called my lawyer about this whole hacking thing. They've adviced me to file a report with the police about the theft of my fill personal identity, as well as get in touch ith my bank about the same thing, but then related to my account data with them. Whenever the hackers actually use the identity data, I already have filed the report and then I can file an other report on the crime of identity theft...
That's for Dutch law (and I guess most EU countries). I'm not sure how things are for other part os the world...
Latest update this morning (take special notice to the parts in red!! ):
SONY ONLINE ENTERTAINMENT ANNOUNCES THEFT OF DATA FROM ITS SYSTEMS
Breach Believed to Stem From Initial Criminal Hack of SOE
Tokyo, May 3, 2011 - Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.
This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.
Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.
The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
bank account number
customer name
account name
customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.
Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
I am overseeing an entire policy review at my company for several SLA's. Being as Massachusetts based company, we had to write a WISP (Written Information Security Program) that overviews how we protect our data (both physical and technical). I had to convince the CEO to allow me to purchase a new firewall and intrusion detection system. Back in March of this year, the first case against a Massachusetts company was settled with the attourney general's office regarding gross negligence on the business's part. It was bar/tavern establishment that had three locations. They were fined $110k US dollars total.
In comparison, SOE ..**dwarfs**... the magnitude of that previous example. I should convince the CEO to buy me a bunch of new stuff now.
What I cannot fathom, is regardless if the data was encrypted or not encrypted (reversable encryption is always.. well .. reversable) is that PCI DSS compliance (the policy you MUST agree to when processing credit cards) states that any credit card information that is out of date or credit card information for customers that you have not done business with in the past 180 days or more must be purged from the system. This also includes backup media.
Obviously, they have agreed to PCI DSS otherwise they wouldn't be able to process credit cards through their website and they probably also have several nicely written security policies that they use internally. However, all this stuff doesn't mean a hill of beans if they aren't internally (and externally) enforced. The fact that Sony PSN and SOE didn't shut down sooner was foolish and was obviously a decision made by people outside of IT because they wanted to stall a freeze on their corporate earnings.
Sony should give us a useful press release indicating whether or not the data itself was encrypted at the time it was stolen. It is hard to fault a company that believed that the data was encrypted to the best of their knowledge with a set of keys that very few humans would have access and would normally only be accessed in a total failure. I personally think that it was encrypted, but more people had access to the unecryption process/keys that should have been able to. Possibly a lay off as someone pointed out before or a disgruntled employee leaked out the information.
One thing to keep in mind is that the IT department can only operate with the budget and resources given to them. I would not be surprised if several of their IT staff are called to testify at a Congressional hearing (or DOJ hearing that will eventually happen) against the corporate executives.
I am overseeing an entire policy review at my company for several SLA's. Being as Massachusetts based company, we had to write a WISP (Written Information Security Program) that overviews how we protect our data (both physical and technical). I had to convince the CEO to allow me to purchase a new firewall and intrusion detection system. Back in March of this year, the first case against a Massachusetts company was settled with the attourney general's office regarding gross negligence on the business's part. It was bar/tavern establishment that had three locations. They were fined $110k US dollars total.
In comparison, SOE ..**dwarfs**... the magnitude of that previous example. I should convince the CEO to buy me a bunch of new stuff now.
What I cannot fathom, is regardless if the data was encrypted or not encrypted (reversable encryption is always.. well .. reversable) is that PCI DSS compliance (the policy you MUST agree to when processing credit cards) states that any credit card information that is out of date or credit card information for customers that you have not done business with in the past 180 days or more must be purged from the system. This also includes backup media.
Obviously, they have agreed to PCI DSS otherwise they wouldn't be able to process credit cards through their website and they probably also have several nicely written security policies that they use internally. However, all this stuff doesn't mean a hill of beans if they aren't internally (and externally) enforced. The fact that Sony PSN and SOE didn't shut down sooner was foolish and was obviously a decision made by people outside of IT because they wanted to stall a freeze on their corporate earnings.
Sony should give us a useful press release indicating whether or not the data itself was encrypted at the time it was stolen. It is hard to fault a company that believed that the data was encrypted to the best of their knowledge with a set of keys that very few humans would have access and would normally only be accessed in a total failure. I personally think that it was encrypted, but more people had access to the unecryption process/keys that should have been able to. Possibly a lay off as someone pointed out before or a disgruntled employee leaked out the information.
One thing to keep in mind is that the IT department can only operate with the budget and resources given to them. I would not be surprised if several of their IT staff are called to testify at a Congressional hearing (or DOJ hearing that will eventually happen) against the corporate executives.
That is what I cannot comprehent either! Why in earth SOE kept an old and appearently not properly secured database with sensitive, personal, financial information from their customers online in their regular LIVE network ! and not either removed it long ago or at least moved it to their newer seperate secured financial network that contains our current financial data !
That is a crime on itself me thinks and warrants thorough investigation by the authorities!
As especially all those European customers with credit / debit cards are now really screwed over with all their personal, debit and bank account information being stolen and compromised! As only the credit / debit cards might be outdated and unusable, but most people's personal and bank account information will most probably still be accurate!
So SOE was hacked two weeks ago and they just discovered it now?
Wow, that's just pathetic...
I guess you havent been a customer of SoE very long:D you see, how SoE works is that, unless they admit something happened, then it didnt happen:D just like bugs in their software, unless they ADMIT there is a bug, then there is NO bugs in their software.... ever
any/all EQ1 player can agree on that fact:D what they will do is next week they will roll out the new expansion to the hack and charge everyone another $35 to log into their new hacked login server "expansion" with bigger and nastier hacks so you will forget about the hacks from this week. and you will need to anticipate a few weeks of emergency nerfs for them to fix the hacks so that EVERYBODY can take a few more days off from online addiction compliments of SoE:D
I don't mean to kick a man when he's down. But dear Lord in heaven, if the crap from DCUO didn't hurt SOE, this is going to practically annihilate them. It makes me wonder if they're going to file for Chapter 11.
Does anyone know of or have heard stories of someones identity being stolen from this incident?
It won't happen right away. It will happen after everything calms down. You don't rob a bank and start spending the cash the same day. The people who stole the info don't want to get caught.
Latest update this morning (take special notice to the parts in red!! ):
SONY ONLINE ENTERTAINMENT ANNOUNCES THEFT OF DATA FROM ITS SYSTEMS
Breach Believed to Stem From Initial Criminal Hack of SOE
Tokyo, May 3, 2011 - Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.
This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
With the current outage of the PlayStation® Network and Qriocity services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.
Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.
The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
bank account number
customer name
account name
customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.
Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
Ok am I understanding the referenced article correctly? US based customers name, address, email, birthdate, gender, phone #, login and hashed password were stolen. Austria Germany Netherland and Spain based customers bank cards numbers, address and account names were stolen but none of the US based customers financial info was stolen??? I was going by the understanding the US based customers credit card info was stored at a different database and not with the personal info. I don't know. Can anyone clarify this??
Ok am I understanding the referenced article correctly? US based customers name, address, email, birthdate, gender, phone #, login and hashed password were stolen. Austria Germany Netherland and Spain based customers bank cards numbers, address and account names were stolen but none of the US based customers financial info was stolen??? I was going by the understanding the US based customers credit card info was stored at a different database and not with the personal info. I don't know. Can anyone clarify this??
Yes that's correct, US based customers did not have their cc info stolen, but non-US customers did.
Ok am I understanding the referenced article correctly? US based customers name, address, email, birthdate, gender, phone #, login and hashed password were stolen. Austria Germany Netherland and Spain based customers bank cards numbers, address and account names were stolen but none of the US based customers financial info was stolen??? I was going by the understanding the US based customers credit card info was stored at a different database and not with the personal info. I don't know. Can anyone clarify this??
Yes that's correct, US based customers did not have their cc info stolen, but non-US customers did.
I guess this finally proofs what we European Customers were saying for years.
European Customers are indeed treated Second Class at SOE!
Comments
Again, how do you know this? I mean, it would be scandalous no doubt. But how do you know Sony did not take the same security measures as any other company? I mean, it is bad, yes. But no company or goverment as far as I know was ever 100% secure. There sure is enough reason to question Sony's handling of the information. But where do you get the info that Sony had any less security measures than any other company? I just think with enough criminal energy and knowledge a person could crack any security, encryption or hack into any computer. I mean, even FBI or CIA were hacked once and then.
Where is the outcry against the criminals? Just for the cases of justice: Sony here is the victim just the same as we!
People don't ask questions to get answers - they ask questions to show how smart they are. - Dogbert
Are you for real? Re-read the press release from BOTH Sony and SOE, including their security updates!
Then go to that law firm's website (I posted that earlier in this same topic) and read the contents of the Class Action Lawsuit against Sony (and now most probably also SOE).
Yes! it is that bad!
I feel the same way. I've been an SoE customer for almost 11 years, and this will not stop me from playing any of their titles, or from trusting them with my information. If people really cared that much about security with their personal info, why not try paying for subs with game cards bought in retail stores or use paypal accounts to do it. I was a server in a well known restaraunt chain for a long time, you do realize that when you hand your card over to pay your bill that they have access to all of your information right, and if you are in a smaller communtiy they most likely know or can find out birthdate/address/email and everything else. I just love how JK is on here raging all about SoE not taking care of our information when they are most likely not affected by this in anyway.
Last time I checked people were not guilty before the end of the trial. But maybe that changed. Who knows.
I just can't shake away the feeling people went into torch and pitchfork mode because it's Sony. If the same had happend to, say, Apple, I am sure everyone would defend the company. But Sony is a too easy target to pass, eh?
Again: Where is the rage against the criminals? Far from me be it to excuse Sony, but you guys just have priorities sort of upside down.
People don't ask questions to get answers - they ask questions to show how smart they are. - Dogbert
If you want to continue defend them and thinking it is not SOE's fault. Fine with me. That is your choice and I respect that.
I on the other hand work in the IT for over 12 years and what has happened here is farce! A total farce!
Sure, every company can get hacked (and will be a point in time). That is just a given fact!
The point here is. That Sony and SOE are responsible for personal, account and financial information from millions of their users, who entrusted them to handle all that information with care and with proper security messures!
That they stored all that information in their databases without any form of encryption is even more criminal than the hackers who hacked their network and stole all our information!
This practically just has been a ticking time bomb all along... waiting to go off! And now it did!
AGAIN! People need to read the contents of the Class Action Lawsuit, how Sony and SOE got hacked in the first place due to using outdated software (with known security holes) and how they have been slacking in keep their systems up to date with latest security updates!
But I guess this is what you get when you keep laying off lots of (good) people in your workforce, instead of cleaning up your failing upper management!
People are too scared to go up against hackers & anarchists that do nothing but cause trouble and headache for everybody. j/k honestly most people just want things to go back to normal and not have to worry or deal with it anymore. That's how it is at the company I work for. Whenever there's an intrusion, reasonable clients will understand and curse at the hackers. While the rest majority of them will yell and scream about why their sites are down, why can't we have 100% secure servers, etc..
I call that ignorance more than anything as majority of the people don't really understand how things work. It's definitely not people's fault to get upset at companies getting hacked. But we live in an age where everything is going online, everything is getting hooked up to the internet. Hacks will happen more and more, often times they happen without you ever knowing, and there's nothing you can do about it.
To put things in perspective, people get angry at a hack like this, where their info gets stolen from a cyber attack on SOE's system. Yet tomorrow, the same people will go out and hand their credit cards to store clerks to buy coffee & donuts. At lunch they'll swipe their cc/debit cards to eat at a restaurant, some will even put their card on a tray and let some stranger take it away. Later in the evening they may go get groceries and again, swipe cards and show random strangers their driver's license if they're buying alcohol. Later at night they may be signing in to a new forum or site, creating an account possibly using the same username & password they're using for their banking accounts.
So while being angry at high profile hacks like these, people are so relaxed in their every day lives. Completely oblivious to the risks they are taking every single day giving random strangers cc/driver's license/date of birth, many working at minimum wages and won't hesitate to sell your information for extra bucks.
Speaking of encryption, please understand encryption can be cracked. Hashed passwords can also be cracked if someone wants to. So when their system comes back up, make sure you change all your account passwords. Not making excuses for SOE what so ever, but some people act like this was the first gaming company that got hacked, or that this was the first time ever they had their personal information stolen. Do you get junk mail everyday? Do you get spam emails everyday? Do you get telemarketer calls? If so, then this isn't the first time your personal information got leaked.
EQ1-AC1-DAOC-FFXI-L2-EQ2-WoW-DDO-GW-LoTR-VG-WAR-GW2-ESO
Who in earth gives their credit card to strangers these days? Even in restaurants and stores? That is so severely outdated man. Not even funny!
All major credit cards have a chip with pincode these days and any respectable restaurant and shop has (portable) pin machines for payment!
If I end up somewhere where I would have to hand out my credit card, I won't and rather pay with cash.
I have been traveling a lot these past years and the last 4-5 years I have never had to hand out my credit card in restaurants or shops anymore.
That aside!
We are talking about a company, in this case Sony / SOE, who make billions of dollars in revenue each and every year! Billions of dollars!
Encrypting personal information of their millions of customers doesn't cost them a thing! Not a damn thing! And that is what makes me (and many others alongside me) so angry and pissed off!
Keeping your software on your sensitive systems fully up to date and patched should be standard 101 practice when you are responsible for sensitive / personal information of millions of users!
Again! Yes those hackers can go burn in hell for what they did! But so can Sony and SOE for their incompetence and total negligence when dealing with our sensitive / personal data the way they did!
And that is now why they gonna get sued with a Class Action Lawsuit!
You cant trust a word SOE says,The company has proven without a doubt that the descion makers dont care about anything but money and will say anything to protect it even at the expense of their own workers.
You all seem to be forgetting this is the same company that stole customer subs from one game to make a new one knowing full well 2+ years in advance that all the talk and promises being made about the old game was total horse crap and they knew that even the money they spent paying the devs to continue to work on the old game was just going to be deleted.All to keep the facade up as long as possable.
The company is about as corrupt and cut throat as any ganster bullying/threatening paying off ruiening carrers of good people who could in all good consicne continue to do PR for them once it became clear the accusations of the customers were true.
I personally couldnt care less what hackers do to them,and whos to say that this isnt all a line of garbage ?? maybe they got a good offer for that info and just sold their customers email/street adresses ect to some spam company and this is their cover story.
I couldn't really understand most of your post, however what you said in this paragraph is exactly what I thought when I first heard about what hapenned. I just have this feeling that SOE would cover up a large scale selling of names and numbers. It happens all the time if you bother to read the fine print whenever you set up some silly account with whatever website is making you register with them.
Makes you wonder how far SOE would go for a buck.
Yep and everyone with the title 'C' followed by 2 letters (CIO, CEO, CFO) will have to step down cause no shareholders board is going to let that happen.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
That is what scares me the most too!
Credit cards can be blocked and a new one issued.
It's your identy (all your personal information) that has been stolen and now out in the open!
Your full name, adress details, phone number(s), email adress(es), birthdate, etc !
And you can count on it that they will sell it to criminals, terrorist organizations and spam companies who will give a jitload of money for that kind of data!
The kind and amount of information these hackers have obtained is worth of a fortune in the black market!
Does anyone know of or have heard stories of someones identity being stolen from this incident?
well, i canceled my bank card today and ordereda replacment. which i will NOT being using at SOE. If l Play there games again itll have to be through gamecards and I could only hope SOE add some sort of secondary authenticator thingy for all their games.
I understand that we can check those credit reporting agency for stolen card concerns... but what recourse do we have for identitiy theft with the leak of so much personal info.. name change lol? soe victim relocation program?
Watch your thoughts; they become words.
Watch your words; they become actions.
Watch your actions; they become habits.
Watch your habits; they become character.
Watch your character; it becomes your destiny.
Lao-Tze
I've just called my lawyer about this whole hacking thing. They've adviced me to file a report with the police about the theft of my fill personal identity, as well as get in touch ith my bank about the same thing, but then related to my account data with them. Whenever the hackers actually use the identity data, I already have filed the report and then I can file an other report on the crime of identity theft...
That's for Dutch law (and I guess most EU countries). I'm not sure how things are for other part os the world...
Latest update this morning (take special notice to the parts in red!! ):
SONY ONLINE ENTERTAINMENT ANNOUNCES THEFT OF DATA FROM ITS SYSTEMS
Breach Believed to Stem From Initial Criminal Hack of SOE
Tokyo, May 3, 2011 - Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.
This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.
Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.
The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password.
In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
bank account number
customer name
account name
customer address.
SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.
Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.
I think it's bloody time we start using fingerprints everywhere for login, instead of username and passwords (this is just sooo outdated).
I am overseeing an entire policy review at my company for several SLA's. Being as Massachusetts based company, we had to write a WISP (Written Information Security Program) that overviews how we protect our data (both physical and technical). I had to convince the CEO to allow me to purchase a new firewall and intrusion detection system. Back in March of this year, the first case against a Massachusetts company was settled with the attourney general's office regarding gross negligence on the business's part. It was bar/tavern establishment that had three locations. They were fined $110k US dollars total.
In comparison, SOE ..**dwarfs**... the magnitude of that previous example. I should convince the CEO to buy me a bunch of new stuff now.
What I cannot fathom, is regardless if the data was encrypted or not encrypted (reversable encryption is always.. well .. reversable) is that PCI DSS compliance (the policy you MUST agree to when processing credit cards) states that any credit card information that is out of date or credit card information for customers that you have not done business with in the past 180 days or more must be purged from the system. This also includes backup media.
Obviously, they have agreed to PCI DSS otherwise they wouldn't be able to process credit cards through their website and they probably also have several nicely written security policies that they use internally. However, all this stuff doesn't mean a hill of beans if they aren't internally (and externally) enforced. The fact that Sony PSN and SOE didn't shut down sooner was foolish and was obviously a decision made by people outside of IT because they wanted to stall a freeze on their corporate earnings.
Sony should give us a useful press release indicating whether or not the data itself was encrypted at the time it was stolen. It is hard to fault a company that believed that the data was encrypted to the best of their knowledge with a set of keys that very few humans would have access and would normally only be accessed in a total failure. I personally think that it was encrypted, but more people had access to the unecryption process/keys that should have been able to. Possibly a lay off as someone pointed out before or a disgruntled employee leaked out the information.
One thing to keep in mind is that the IT department can only operate with the budget and resources given to them. I would not be surprised if several of their IT staff are called to testify at a Congressional hearing (or DOJ hearing that will eventually happen) against the corporate executives.
That is what I cannot comprehent either! Why in earth SOE kept an old and appearently not properly secured database with sensitive, personal, financial information from their customers online in their regular LIVE network ! and not either removed it long ago or at least moved it to their newer seperate secured financial network that contains our current financial data !
That is a crime on itself me thinks and warrants thorough investigation by the authorities!
As especially all those European customers with credit / debit cards are now really screwed over with all their personal, debit and bank account information being stolen and compromised! As only the credit / debit cards might be outdated and unusable, but most people's personal and bank account information will most probably still be accurate!
that made no sense
Some interesting reading from Business Week and other new sources:
http://www.businessweek.com/news/2011-04-28/sony-faces-lawsuit-regulators-probe-over-playstation-hack.html
http://ingame.msnbc.msn.com/_news/2011/04/27/6544610-sony-sued-could-bleed-billions-following-playstation-network-hack
I don't mean to kick a man when he's down. But dear Lord in heaven, if the crap from DCUO didn't hurt SOE, this is going to practically annihilate them. It makes me wonder if they're going to file for Chapter 11.
It won't happen right away. It will happen after everything calms down. You don't rob a bank and start spending the cash the same day. The people who stole the info don't want to get caught.
Ok am I understanding the referenced article correctly? US based customers name, address, email, birthdate, gender, phone #, login and hashed password were stolen. Austria Germany Netherland and Spain based customers bank cards numbers, address and account names were stolen but none of the US based customers financial info was stolen??? I was going by the understanding the US based customers credit card info was stored at a different database and not with the personal info. I don't know. Can anyone clarify this??Yes that's correct, US based customers did not have their cc info stolen, but non-US customers did.
EQ1-AC1-DAOC-FFXI-L2-EQ2-WoW-DDO-GW-LoTR-VG-WAR-GW2-ESO
I guess this finally proofs what we European Customers were saying for years.
European Customers are indeed treated Second Class at SOE!